Tag Archives: Anonymous

Immediate Vault

Crisis Management in the Age of Cybercrime

Posted on by

[The following is a guest post by Richard S. Levick, Esq, president and chief executive officer of Levick Strategic Communications. You can Follow Richard on Twitter @RichardLevick where he comments daily on risk management and crisis management.] 

Immense as it may be, the March 30 Global Payments data breach that dominated headlines is only the latest in a series of events that made this current crisis eminently predictable. If there are any illusions that this breach was anomalous, consider the extent to which high-profile data breaches similarly dominated headlines in 2011.

Sony suffered over a dozen data breaches stemming from attacks that compromised its PlayStation Network, losing millions and facing customer class action lawsuits as a result. Cloud-based email service provider Epsilon suffered a spear-phishing attack, reportedly affecting 60 million customer emails. RSA, whose very business related to on-line security, experienced an embarrassing and damaging theft of information related to its SecureID system, necessitating an expenditure of more than $60 million on remediation, including rebuilding its tattered reputation.

And the list goes on.

Right now, just about all businesses face cyber risks. The worst include intellectual property losses due to economic espionage — by far the greatest risk to companies — as well as data breaches and ideological “hacktivists.” And the growth rate of those risks often exceeds a company’s ability to fight them.

Over the last decade, companies have experienced exponential increases in the volume and type of their digital assets along with an explosion in the types of storage devices that house them. With enterprise resource planning software, email, cloud computing, laptops, iPads, smart phones, and other portable devises, companies may have data storage systems that number in the hundreds. Managing and securing critical information has become a commensurately more daunting task.

As the situation grows worse, many boards and senior management now take a head-in-the-sand approach to cyber-threat management. A recent survey from Carnegie Mellon University’s CyLab analyzed the cyber governance policies of the Forbes Global 2000. Its findings are troubling. “Boards and senior management are still not exercising appropriate governance over the privacy and security of their digital assets,” states the report. Less than one-third undertake even the most basic cyber-governance responsibilities.

These findings are supported by an in-depth look at cyber-crime published by PricewaterhouseCoopers late last year. According to the survey, which polled nearly 4000 executives from 78 countries, while cybercrime ranks as one of the top four economic crimes (falling just after asset misappropriation, accounting fraud, and bribery/corruption), 40% of respondents reported that they had not received any cyber-security training. A quarter said that their CEOs and boards do not conduct regular, formal reviews of cyber-crime threats, and a majority reported either that their company does not have – or they do not know whether their company has – a cyber crisis-response plan.

Welcome to the risk management officer’s worst nightmare.

According to the Ponemon Institute’s most recent statistics, the average cost of a data breach is $7.2 million with the average cost per compromised record coming in at $214. But the damage done by a cyber-breach goes well beyond the initial information loss. Real costs from business interruption, intellectual property theft, lost customers and diminished shareholder value due to reputation damage all can — and do — inflate those figures. In fact, for 40% of respondents in the PwC study, it is the reputational damage from cybercrime that is their biggest fear.

As cyber-risks continue to grow, companies must therefore focus on reputation as well as strengthening the mechanisms with which data is secured. A few things are imperative.

Boards and senior management must take responsibility for crisis response. Their objective must be to crystalize the company’s crisis instincts – to make crisis response part of the institutional DNA.

Crisis plans are actually counter-productive if they are created simply to be put on a shelf and read only when they are needed. Particularly in the context of cyber-crime, a realm in which new risks seem to emerge almost daily, the need to revisit and revise the plans is exigent. Regular rehearsals, refinements, discussions and additions transform the culture into one rooted in not the possibility but, rather, the expectation of crisis.

Education of employees is imperative. Employees often assume that securing company information is solely the responsibility of company IT specialists – an assumption fraught with risk. Every employee in an organization has the responsibility and the means to protect company data.

In addition to education, the key for companies is to keep less information in the first place, according to Paul Rosenzweig, Esq., founder of Red Branch Law & Consulting, PLLC. Backing up data on the other end is also vital. And while there are attendant costs involved, they are well worth it, he says. “In a world in which the bottom line is everything and the benefit of your expenditure may be recaptured only over years, if ever, this is hard,” said Rosenzweig. “It may well seem like all cost and no benefit in the beginning – that is, until the day it is all benefit and no cost.”

Companies must also designate a response team and ensure that all participants understand their roles. During a crisis, the response team must make critical decisions with too little notice and too little information. Regular meetings ensure that team members understand their individual responsibilities and develop trust in one another. Periodic crisis team exercises allow companies to capture what goes right and what goes wrong in each simulation. The lessons learned are critical when a real crisis is at hand.

When a data breach does occur, companies must make full disclosure as quickly as possible and let stakeholders know how they plan to remediate the situation so that it will not recur. Focusing on corrective future initiatives can restore trust.

With the advent of new technologies, the risks for companies are now greater than ever. Companies’ ability to recognize this moment and transform the way they think about their information is key to long-term sustainability and brand value.

25 Members of Anonymous Arrested

Posted on by

The hacking collective known as anonymous has suffered a setback. It was announced this morning that Interpol arrested 25 people with ties to the activist group.

On Tuesday, Interpol said that it begun looking for the hackers as part of “Operation Unmask,” an initiative that launched in mid-February. The investigation was launched after Anonymous members claimed credit for denial of service attacks on the Colombian Ministry of Defense, presidential Web sites and an electric company in Chile, as well as an attack on the Web site of Chile’s National Library, the Associated Press reported.

As is customary with Anonymous, the group immediately sought revenge for the arrests, bringing down Interpol’s website briefly after the news broke.

The group made headlines earlier this week when it leaked information gathered from the Startfor Intelligence firm through Wikileaks. The website published an email obtained from Stratfor, an international affairs think tank, that alleges Pakistani intelligence and military officials were aware of Al Qaeda leader Osama bin Laden’s presence in Pakistan.

Of course, Anonymous is not the only hacking group to turn their beliefs and frustrations into breached data. There have been several high profile incidents, whether initiated by an individual or a group, within the past few months that have wreaked havoc at major companies. Here are just a few:

  • Sony — the company’s security policies have been questioned by several lawmakers after the electronics giant fell victim to more than a dozen cyber attacks since a major breach of its PlayStation Network and Qriocity services in May of last year.
  • Google — In June, the web powerhouse announced that several U.S. government officials using its Gmail service were the target of a phishing scam. China was blamed but no proof was ever produced.
  • RSA Security — Lockheed Martin suffered a “significant and tenacious” cyber attack in May that was believed to be the result of an earlier attack on RSA Security. RSA admitted in June that its security systems had been breached.

The arrest of Anonymous members comes on the heels of President Obama’s State of the Union address in which he called on Congress to pass “legislation that will secure our country from the growing dnagers of cyber threats.” Never has this been more necessary than now. In fact, Wired recently ran a piece calling cyberwar “the new yellowcake.” It quotes Senate Commerce Committee Chairman Jack Rockefeller (D-W.Va.) as saying:

“Today’s cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on. Congress needs to act on comprehensive cybersecurity legislation immediately.”

Strong words. And true.

The fact is, no matter how many members of Anonymous are arrested, there will always be another group or individual ready to inflict damage of organizations and governments via the internet. The only we can do is prepare to manage that risk.

 

 

 

Supporters of WikiLeaks Launch Attack

Posted on by

It was just last week that our own Jared Wade wrote a post about how WikiLeaks’ next target may not be military or government affiliated at all; it could be your company.

Early next year, Julian Assange says, a major American bank will suddenly find itself turned inside out. Tens of thousands of its internal documents will be exposed on Wikileaks.org with no polite requests for executives’ response or other forewarnings. The data dump will lay bare the finance firm’s secrets on the Web for every customer, every competitor, every regulator to examine and pass judgment on.

The website that relies on truth in everything has gained a massive following of fanatic supporters. So fanatic, it seems, that they have retaliated against those who have recently wronged WikiLeaks or its founder, Julian Assange. Here’s a list of those companies or individuals who have fallen victim to cyberattacks launched by WikiLeaks supporters:

  • Mastercard.com — WikiLeaks relies on donations to keep running and it was Mastercard who processed such donations. Well, with the media firestorm around the website and Assange lately, the card company severed ties with the site.
  • Amazon.com — The giant online retailer decided to revoke server space it had once granted to WikiLeaks.
  • PayPal — The online payment service chose to cut off its commercial cooperation with WikiLeaks.

Other targets include the lawyer representing two women who have accused Assange of sexual abuse and PostFinance, Assange’s bank, which closed his account. The attacks have been organized and launch by a group of hackers called Anonymous. One of the members granted an interview to the New York Times.

That activist, Gregg Housh, said in a telephone interview that 1,500 activists were on online forums and chatrooms including Anonops.net, mounting mass and repeated “denial of service” attacks on sites that have moved against Mr. Assange and WikiLeaks in recent days. The hacker army has rallied around the theory that all the actions against the organization and against Mr. Assange, including the rape accusations, are politically motivated efforts to silence those challenging authority. “To all of us,” Mr. Housh said, “there is no distinction. He is a political prisoner and the two things are completely entwined.”

The group has been successful; the websites for Mastercard, PayPal and PostFinance were all experiencing difficulties. Even more frightening, Anonymous claims to be planning further attacks on company websites. So it is true then, WikiLeaks’ next target, either directly or indirectly, could be your company.