Cloud Computing

This from Wall Street Journal:

“Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud.

Credit and debit card processor Global Payments has been hit by a security breach that has put some 50,000 cardholders at risk, Andrew Johnson reports on Lunch Break. Photo: Bloomberg News.

The breach at Global Payments, Inc. is the latest in a wave of data attacks that have heightened consumer concerns about identity theft. The card industry has been particularly vulnerable to those concerns amid a slew of big breaches in recent years as more Americans choose to pay with plastic rather than cash.”

The Wall Street Journal went on to say that “Global Payments didn't disclose what type of data had been accessed, but said it had notified ‘appropriate industry parties to allow them to minimize potential cardholder impact.’”

As these types of hacks continue to escalate, every company should ask, “How safe is our data?”

You can read the Wall Street Journal article here (subscription required).

Shawn Henry, the FBI's executive assistant director and top cyber official recently stated in an interview that despite the growing prevalence of cyber crime against companies, most business owners and executives don't think that it will happen to their company.  Henry went on to tell of a company that went out of business after $5 million was looted from its bank accounts and of another business that had over decades worth of research and development valued at over $1 billion stolen, "virtually overnight".

Henry stated that most hackers fit into three broad categories, "namely nation states targeting research and development, intellectual property and corporate strategies of American companies, terrorists who have shown a growing interest in using cyber attacks against critical infrastructure, and organized criminals wielding botnets (or networks of zombie computers) to attack corporate computer networks."

Cyber crime is here and is rapidly growing. What have you done to protect your company? 

You can read more about the interview with Assistant Director Henry here.

As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper

Read the rest of this post, after the jump.

As attacks on corporate networks continue to escalate, we are seeing more and more instances of very sophisticated intrusions.  The recent discovery of the breach of the U.S. Chamber of Commerce illustrates that these types of attacks will continue to progress in both their frequency and sophistication.

It is being reported that the U.S. Chamber might not have been the ultimate target but instead was potentially being used as a gateway to the networks of its members.

What are you doing to protect your networks?  What are your trusted business partners doing? 

Here is more on the U.S. Chamber of Commerce attack as reported at TechTarget.com:

Spear phishing attacks likely key in U.S. Chamber of Commerce breach, experts say

Robert Westervelt, News Director
Published: 21 Dec 2011

A targeted attack responsible for the U.S. Chamber of Commerce breach, exploited serious weaknesses in the lobbying group’s security defenses, according to security experts, and could have been a staging ground for attacks on Chamber member organizations.

Investigators have not determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved in the Chamber’s Asian policy affairs, according to a report in the Washington Post.  Experts said that while it’s unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization’s systems.

“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,” said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they’re taking advantage of a piece of software that is otherwise silent but the user has activated it.”

The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber’s systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.

You can read the entire TechTarget article here.

When looking at the various legal issues relating to cloud computing, it is important to understand the technical details of the particular storage/service being considered.  While all may at some levels seem the same, working out the details of service level agreements, privacy and security provisions, and disaster recovery options requires knowing which of the several new computing paradigms are emerging from large commercial clouds are being used.

On variation that is prevalent involves virtual machine based utility computing environments such as Amazon AWS and Microsoft Azure. On a virtual machine, one must be aware of how and where data is transferred in the processing performed by the virtual machine.  Also, the particular potential security vulnerabilities should be addressed, as they are quite different from that of physically secured computing devices.  Indemnification may also be a difficult issue because of the ubiquitous nature of determining sources of error.

Another cloud computing variation involves new MapReduce programming paradigms coming from the Information retrieval field which have been shown to be effective for scientific data analysis.  In the MapReduce environment, problems are partitioned and de-aggregated by inputs and computation steps into a multitude of sub-problems. Eventually every sub-sub-sub-problem is resolved by a cloud resource, then the solutions are successively combined to create a final solution. As the MapReduce environment dynamically partitions and re-assembles, the actual locations and incidences of transmission are not know beforehand (and may be difficult to determine afterwards in event of an error). 

For any cloud computing project, the location, security and storage of the data may have legal significance, and the underlying cloud computing technology needs to be considered when framing the legal protections.  While a “cloud computing environment” may sound well defined, in many contexts additional disclosures are needed to see if a particular solution is appropriate for the nature of the data.

The National Institute of Standards and Technology (NIST) recently released a three volume work in progress relating to U.S. government adoption of cloud computing technologies. In the preliminary discussion, the security requirement is noted as “not considered to be fully met at present.” Cloud Providers, and cloud users, should be aware of the development of federal guidelines, as a new federal standard may have a significant effect on cloud computing standards of care. The full three volumes, and related information, may be found at the NIST cloud computing center, and the deadline for comments is December 2, 2011.

While NIST is working on developing federal contracting standards for security, non-governmental entities must also be concerned about security for compliance with data breach laws, in some particular industries for regulatory compliance, and generally for marketing considerations. Despite there being a variety of types of cloud computing customers, “as-a-service” providers often take a one-size-fits-all approach to security. Each such cloud provider generally has a security policy, and that is all it will agree to, regardless of whether it satisfies the individual customer’s particular security needs, in order to keep costs down, and such cloud providers seem hesitant to provide customers with unique services. A more cooperative discussion regarding security of data may be needed, both from a contractual agreement standpoint and a risk management standpoint, and the results of the discussion should be documented with appropriate contractual language.

Typically, outsourcing providers resist granting broad audit rights to its customers, and cloud computing “as-a-service” providers are even more reluctant. To protect the interests in the security of data, cloud users may demand a quality audit of an “as-a-service” provider which would require a significantly more in-depth look into the Cloud Computing Provider’s computer systems and propriety methods. As a customer is relinquishing even more control of its data than under a more traditional service contract, the desire/need for an audit should be greater. These concerns are also compounded if that “as-a-service” provider utilizes a third party hosting company to host the data and process the “as-a-service” provider’s application. In such an instance, customers should consider requiring the right to audit such third party host’s data centers and security systems.

FastCompany.com is reporting that the biometric data of almost every Israeli citizen has been compromised and is now available on the Internet. According to FastCompany.com:

"Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He's a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel's primary national biometric database in 2006. He had access to the database, which is part of the country's population registry, through his office."

The FastCompany.com article went on to say that "[T]he stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis--including children--and detailed health information on individual citizens."

Clearly, as more governments, such as India and Germany, collect more biometric data on their citizens, the security of such information will continue to be an issue.  For corporate America, this breach underscores the need to keep security at the forefront as you collect and use more and more personal information for customers and employees.

You can read the FastCompany.com article by clicking here.

As the eighth annual National Cyber Security Awareness month winds down, a new survey highlights the dangerous disconnect between perception and reality among small business owners about their cyber security efforts. The survey, sponsored by Symantec and the National Cyber Security Alliance, found that more than 80 percent of small business owners believed they were safe from cyber attacks, yet relatively few took steps to eliminate the risks of such attacks by, for example, formalizing an internet security policy or preparing a contingency plan in the event of a data breach. 

Perhaps more troubling, the survey demonstrated that the ill-preparedness of small businesses is not due to a lack of awareness of such risks, or an underestimation of the harm cyber attacks pose to their day-to-day operations. Indeed, two-thirds of the surveyed companies say their company is dependent on the Internet, and many of the companies indicated they deal with sensitive information such as financial records, private customer data and intellectual property. 

Because the media often focuses its attention on the large, sophisticated cyber attacks that disrupt large corporations and result in massive data and privacy breaches, it is easy for small businesses to believe that they are simply not an attractive target for cyber thieves. Yet in many respects smaller businesses represent the “low hanging fruit” for such attacks, since they still deal with sensitive and valuable information. Moreover, given their smaller size, small businesses may stand to lose more from cyber attacks.

Given the ease with which cyber attacks can be launched, and the increased frequency of such attacks, small business owners would do well to re-evaluate their efforts to keep their data safe and secure.

According to a recent article in Wired Magazine, “Two separate hacker groups whose activities are already known to authorities were behind the serious breach of RSA Security earlier this year and were likely working at the behest of a government, according to new statements from the company’s president.”

The article goes on to state that due to the sophisticated nature of the breach, RSA believes that a nation-state had to be behind the attack. Clearly, the question then becomes “which nation-state”?

I think the takeaway for businesses should be that attacks and the actors are getting more sophisticated in their actions. As such, the security of data, systems and operations should become one of a company’s top IT priorities.

You can read the Wired Magazine article here:
http://www.wired.com/threatlevel/2011/10/two-hacker-groups-breached-rsa/  

The Cloud Security Alliance (CSA) has just released their Cloud Controls Matrix, version 1.1.  According to the CSA website, "The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider."

For somewhat sophisticated security professionals, the Matrix is a good starting point for a security assessment framework.

The tool can be found here: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

This from CNET.com reporting on the new cybercrime study from the Ponemon Institute:

"A new annual study on the cost of cybercrime conducted by the Ponemon Institute has found that the expense of dealing with cybercrime is on the rise from last year.

The study, which was funded by Hewlett-Packard, found that the median cost of cybercrime to the 50 organizations it surveyed was $5.9 million per year, based on a range of $1.5 million to $36.5 million per year. That's up 56 percent from the $3.8 million median found in last year's study, which ranged from $1 million to $53 million per year.

That large median dollar amount for dealing with threats includes detection and investigation, as well as follow-through actions such as containment and recovery.

In terms of dealing with threats, the study found that the average time to address one is 18 days, resulting in an average price tag of $416,000. That's up from an average 14-day period and $250,000 per attack last year. Also up were the number of successful attacks; 72 were counted during the four-week test, marking a 45 percent bump from last year's study."

You can read the complete CNET article here:

http://news.cnet.com/8301-1009_3-20087069-83/study-cybercrime-costs-on-the-rise-from-last-year/#ixzz1TuocwR00

We will also pass along a link to the Ponemon study when it is released.

This from SC Magazine:

"The Canadian intelligence service has singled out cyber attacks as one of the biggest threats facing Canada in its latest annual report.

The Canadian Security Intelligence Service (CSIS), which is responsible for investigating threats to national security, said that politically motivated threats, or attacks against critical information infrastructure, are of particular interest to it.

Foreign states, extremists, criminals and politically motivated individuals top the organisation's list of bad actors that could use Canada's competing infrastructure against it.

Energy, finance and telecommunications are particularly vulnerable, according to the agency." 

Clearly, cyber threats are increasingly appearing on the radar of both governments and private companies.

Have they appeared on your company's radar yet?

You can read the rest of the article here and can read the CSIS Report here.

I just read an interesting article on the increasing threat that computer software and hardware that is written/manufactured overseas is becoming to the security of infrastructure in the United States. Essentially, the argument is that malicious code can be embedded in software and hardware that is imported into the United States and that this malicious code can be used to gain access to systems and networks at a given time in the future. It can also be used to disable systems or cause them to malfunction.

According to the article, infrastructure, "including power distribution, water supply, telecommunications and emergency services, have become increasingly dependent on computerized information systems to manage their operations and to process, maintain and report essential information." This is a large concern of the U.S. Government.

Is your company concerned?

You can read the entire article here: http://www.upi.com/Top_News/US/2011/07/07/US-infrastructure-faces-cyberthreats/UPI-96991310074528/#ixzz1RYQoiLmb  

In a prominent lead opinion piece on June 15, 2011 in the Wall Street Journal, Richard Clarke, former Chair of the federal government's Counter-terrorism Security Group in the Clinton and George W. Bush administrations, makes the case that the Chinese government is actively involved in cyber attacks on U.S. businesses. Mr. Clarke also notes prior threats that have been identified to the power grid.

Mr. Clarke, to be sure, is a controversial figure, but he has not been hesitant to criticize even administrations in which he served on matters involving national security. Mr. Clarke observes: "Congress hasn't passed a single piece of significant cyber security legislation." Noting the muted response of governmental officials to issues in the face of Chinese government denials, Mr. Clarke states that if explosives were found in our infrastructure, a strong response could be expected, but if "the explosive is a digital bomb that could do even more damage, our response is apparently muted—especially from our government."

Mr. Clarke's concerns are not limited to the power grid infrastructure or the defense industry. He notes that cyber criminals tend to go after banks and credit card companies, not defense contractors.

Mr. Clarke's thoughts represent a cautionary tale for all companies dependent upon information technology -- which would probably include most companies. At this point, do not assume that the government is going to protect you. Be sure your defenses are up and that you have plans in place in the event of a breach.

In 1976, Al Stewart had a hit with his song, "The Year of the Cat." With all due respect to cats, 2011 may go down as The Year of the Hack.

The recently announced hack of the International Monetary Fund (IMF) is only the latest in a series of security breaches of prominent companies and institutions. For a fairly comprehensive listing from PCWorld, click here.

Hacking has become so common that it was recently used as a plausible excuse by Congressman Anthony Weiner in his well-publicized recent travails. For an interesting take from information security specialist Kevin Beaver on this issue, click here.

With respect to the general subject of cloud computing, the message is that security breaches pose a real and continuing threat to the widespread adoption of cloud-based services. As many have observed, and as has previously been written on this blog, the aggregation of data in a cloud can present an attractive target for cyber-thieves.

Those considering the use of cloud-based services will be wise to assess the security procedures adopted by each potential vendor. In addition to considering the technical level of security supposedly provided, check whether the vendor stands behind its promises in any meaningful way in its terms and conditions. Finally, consider whether it would be prudent to maintain direct control over certain particularly critical data instead of sending it to the cloud.

SecureID from RSA has been widely considered to be one of the most secure forms of identification authentication available to corporate America. After the well publicized hack of the platform earlier this year and subsequent breaches, this is apparently no longer the case.

This from Peter Bright at arstechnica.com:

“RSA Security is to replace virtually every one of the 40 million SecurID tokens currently in use as a result of the hacking attack the company disclosed back in March. The EMC subsidiary issued a letter to customers acknowledging that SecurID failed to protect defense contractor Lockheed Martin, which last month reported a hack attempt.

SecurID tokens are used in two-factor authentication systems. Each user account is linked to a token, and each token generates a pseudo-random number that changes periodically, typically every 30 or 60 seconds. To log in, the user enters a username, password, and the number shown on their token. The authentication server knows what number a particular token should be showing, and so uses this number to prove that the user is in possession of their token.

The exact sequence of numbers that a token generates is determined by a secret RSA-developed algorithm, and a seed value used to initialize the token. Each token has a different seed, and it's this seed that is linked to each user account. If the algorithm and seed are disclosed, the token itself becomes worthless; the numbers can be calculated in just the same way that the authentication server calculates them.

This admission puts paid to RSA's initial claims that the hack would not allow any "direct attack" on SecurID tokens; wholesale replacement of the tokens can only mean that the tokens currently in the wild do not offer the security that they are supposed to. Sources close to RSA tell Ars that the March breach did indeed result in seeds being compromised. The algorithm is already public knowledge.”

You can read the rest of the arstechnica.com article here: http://arstechnica.com/security/news/2011/06/rsa-finally-comes-clean-securid-is-compromised.ars   

Last Friday, I was a panelist at a discussion on cloud computing entitled “Cloud in Crisis: Learning from the Entertainment Giants.” This event was part of an ongoing series called “New Economy New Rules” and was sponsored by The Business and Technology Group of Barnes & Thornburg LLP and TechPoint in Indianapolis.

The discussion was moderated by Todd Vare of Barnes & Thornburg. On the panel with me were Pat O’Day, Chief Technology Officer for BlueLock, LLC, and Rod Rudd, Practice Director of Cloud Computing for MMY Consulting. There were over 150 attendees at the panel discussion (and many more attendees remotely) and a very lively question and answer period ensued.

I think the primary takeaway from the panelists was that cloud computing is here and companies might as well embrace it. However, companies must also be very diligent with both their contractual arrangements as well as with the practicalities of adopting cloud computing.

For example, in addition to making sure that contracts contain the necessary protections, companies should understand their data and understand that all data is not created equally. Accordingly, some data may be suitable for public clouds while some data may only be suitable for private clouds, if at all.

Another takeaway was that companies should avail themselves of the necessary expertise, either internally or externally, to fully understand cloud computing and the intricacies associated with adopting it as a technology solution.

Again, it was a very interesting discussion and I look forward to follow-on discussions with many of the companies that were represented in the audience.

The United States government released its "International Strategy for Cyberspace" yesterday.

It is an interesting read from the standpoint of the government acknowledging that cyber-security and cyber-warfare are issues that are at the forefront of the administration’s current mindset.

As stated in the report, the U.S. government will take an aggressive and proactive role in cyber-defense and network security. In fact, the report states that “[T]he United States will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits.”

For businesses, the report underscores that cyber-security and cyber-espionage will increasingly be topics that should be addressed not only from an operational standpoint but from a governance and risk management standpoint.

In addition to being read by company CTOs, CISOs, and CSOs, the report should be read by all C-suite executives and board committee members as it does a good job of outlining future cyber threats and what the government’s role will be in addressing those threats.

Link: http://www.whitehouse.gov/sites/default/files/rss_viewer/international_strategy_for_cyberspace.pdf