Significant Events

A short list of high profile events in technology that highlight different aspects of Cybersecurity & Technology Risk Management.

2017: Equifax & IT Governance

Equifax

Equifax had one of the largest data breaches in the United States: 147.9 million Americans, 15.2 million British citizens and about 19,000 Canadian citizens were compromised.  This led to the CEO of Equifax testifying before congress and a $575 settlement.  

The breach occurred when a well known open source package used in an Internet facing services was exploited.  From published news reports and testimony by the CEO, Equifax followed standard operating procedures for patching. 

The device that was exploited was identified for the patch: that implies high risk Internet facing services were both identified and prioritized for patching.  That also shows proper asset management and prioritization based on risk.  In addition, the patch was planned for deployment in advance of the actual exploit. With this information, we can say that Equifax followed best practices for 3 critical functions: 

  • Asset Management
  • Identification of High Risk Assets
  • Patch Management.  

However, a device was not patched and subsequently exploited. From NBC News, the CEO said:

While Smith said he was personally "ultimately responsible for what happened" he also blamed a single unnamed person in the IT department for not updating, or "patching" one Equifax's "portals" after the credit reporting giant was alerted to the security gap in March.

While this is obviously a case study in poor leadership - the CEO blaming a sole individual - it is also an example of poor governance.  Of course, relying on one person to do an important job is fine.  However, given the importance of patching as a critical function, governance of that patching process failed.  Management should have had tools and other sources to confirm critical devices were patched.  Relying on 1 person to do their job is expected.  Relying on 1 person to perform an absolutely critical function without any oversight or confirmation is a lack of governance.   

2015: Tech Risk Trifecta

TrifectaOn July 8th, 2015, a trifecta of technology 'glitches' occurred that made many wonder if it was some type of coordinated attack or just bad luck.

First, the New York Stock Exchange had issues with trading.  The NYSE is  a high profile organization subject to attacks by hackers.  However, this turned out to be a technical issue that resulted in a disruption of services that lasted about 4 hours.  That disruption was also subject to a $14 million dollar fine by the SEC.  A very expensive disruption.

Later that morning, United Airlines also suffered a technical glitch that resulted in delays for a few yours.

Finally, the Wall Street Journal's website was unavailable as well for a few hours.  While not nearly as high profile or costly as the other two outages, it made for an interesting day in the news, and a good example how technology has to be actively managed to prevent both malicious attacks as well as 'glitches'. 

One interesting observation about these events was that if the press has chosen to use the word 'glitch' to describe technology events without a clear cause.  Hackers, rogue employees - those are known and understood.  If something is unknown then it is called a 'glitch'.  

2014: Yahoo! & the True Cost of a Data Breach

Yahoo!

In 2014, one of the original Internet search engines and portals, Yahoo!, was breached by hackers.  The hackers stole account information for approximately 500 million of their users.  While Yahoo! was not a high risk site like a bank or a medical provider, the impact of that massive data theft was immense. 

The National Law Review summarizes the impact in their article, Lessons from the Yahoo Data Breaches (So Far):

  • Internal costs of the breach and investigation were $16 million dollars.  
  • Yahoo! was fined $35 million for filing false statements related to the breach.
  • Market capitalization declined $1.3 billion dollars.
  • Yahoo!s sale price decreased by $350 million dollars.  

Even for websites and services considered low risk, the impact of a data breach or other technology event can be very expensive.  

2012: Knight Capital & Change Control

KnightKnight Capital is an amazing example of a well known and established technology process being performed badly and having a significant impact.  The downfall of Knight Capital was not due to malicious hackers or angry insiders: it was the result of poor change control.

Obviously, any firm needs to worry about outside attackers or unhappy employees trying to steal money.  But when you are dealing with a critical business service - in the case of Knight Capital, an algorithmic trading application - its important to focus on the mundane as well. Change control and ensuring changes to applications, middleware of infrastructure are performed properly is a mundane but critical function. 

Knight

For other firms, poor change control might lead to a service outage.  There are many examples of service outages.  In the cased of Knight Capital, in about an hour, it led to a loss of $440 million dollars.  

In the case of Knight Capital, when a change to a trading algorithm was pushed to production, the change was made to 80% of the intended servers and not 100%.  With the change not being everywhere, the trading system ran amok and lost $440 million dollars.  The event is well documented.  

Knight Capital is an INCREDIBLE example of poor Technology Risk Management.  Technology Risk Management is focused on managing technology based on possible business impact.  While every firm relies on information technology today, the focus of controls and oversight should be on the technology or services with the most potential business impact on the company.  In this example, the change to this trading application should have been a high profile change due to the possible negative impact of $440 million dollars.  If the potential dollar losses were clearly identified and articulated, more attention would have been paid to the change to ensure no mistakes were made.

Technology Risk Management identifies high value and high risk technology services and prioritizes controls for those services.  

2010: Stuxnet & CyberWar

StuxNetIn 2010, Stuxnet was discovered by the world as one of the first covert Cyber weapons.  Stuxnet was a computer virus that targeted the centrifuges used to enrich uranium in Iran's covert nuclear weapons program.  

The attack was complex and comprehensive in that it targeted several zero day exploits, required overcoming an air gapped network, targeted SCADA devices and presented misleading information to hide its activities.  

It is estimated the damage caused by Stuxnet set back Iran's enrichment program by 18 months.  

Wired and TechRepublic have authoritative articles:

This nation state attack is an example of both the complexity of these types of attacks and their impact.  YouTube has a good video about the entire event.  

1989: Rebecca Schaeffer & Protecting PII

RebeccaOne of the saddest stories related to privacy and protecting your personal information - and one of the reasons I entered the field - is about Rebecca Schaeffer.  Rebecca was an actress just beginning her career and on the rise with a successful sitcom, when her personal privacy was breached.  That breach led to her death.

The story is well documented, with several shows describing the event and aftermath, including CourtTV.  But to summarize, an obsessed fan went to the California Department of Motor Vehicles, and simply asked for Rebecca's address.  There were no controls or policies to prevent the sharing of her personal information: the DMV simply gave an address upon request.  

As a result, her stalker was able to visit Rebecca at her home, and shoot her. 

I remember reading about this tragic event in the news and was upset to hear how simple the crime was to commit: just go to the DMV to get someone's address.  I had always been a private person, but that was my first exposure to how important it is for others (the DMV in this case) to protect the information they have about me and others.  Today, we are all familiar with data breaches, where our companies inadvertently lose the personal information of their employees or clients.  In the U.S., stealing personal information is typically part of stealing an identity.  In other countries, it can to kidnapping and ransom requests.  

That was the start of my interest in privacy, information security - now called Cybersecurity - and Technology Risk Management. 

This event also foreshadowed the rise of identity theft in the United States.  If its that easy to get your personal information from the DMV, attackers could also go after credit bureaus and other sources.  Unfortunately, many organizations, specifically credit bureaus, were reluctant to put additional controls in place to prevent identity theft: they make money by issuing credit.  The more credit that is available the more money they make.  Controls to limit identity theft would also slow down and limit access to credit by qualified consumers.  Many credit bureaus were reluctant to put those controls in place.  

Today, the good news most consumers are aware of identity theft and the importance of protecting their personal information.  And options exist to limit access to credit information and monitor your credit profile.  

Unfortunately, it just took so long to make that progress.