The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

Reputation Communications June 2010 Newsletter

“Organized crime, foreign government sponsored espionage, and employees with a growing sense of entitlement are all part of the growing menace that companies must recognize and address”, said Mr. Schmidt.  ”In order to begin to move forward organizations must start with the engagement of their governance and executive management teams.  Risk management principles must apply beyond the standard technology purview”.

The event was well attended by ASIS security professionals and a larger variety of vendors.  The event was the ASIS NYC 20th annual event.

The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

Three critical reasons why include:

(1) the CIO can neither create nor maintain the attorney client privilege without general counsel’s direction of the corporation’s cybersecurity efforts;

(2) for the same reasons, general counsel, not the CIO, is responsible for corporate governance at large, and cyber security is first and foremost a corporate governance issue; and

(3) the role of interpreting and directing action to meet federal and state compliance statutes, covering a wide variety of legal mandates from privacy, to identity theft, to notifications requires legal counsel to direct actions that protect corporate interests and meet the legal obligations.

The consequences of information compromises present business issues that require legal planning and action to mitigate the risks to the corporation and its shareholders.

Now is the time to be proactive and lay the groundwork to protect legal interests, promote strong corporate governance, and reduce the potential of legal missteps, significant litigation and other actions arising from information compromise.

Please contact us to learn more about our comprehensive solutions that will appropriately position your organization to address the growing business risks created by information compromise.

The attack also targeted two other entities, at least one of which is a government agency.  The attack was discovered over the summer, but could have taken place as much as a year earlier.  The case is being investigated by the FBI with assistance from the NSA, the Department of Homeland Security and Citigroup which is partially owned by the US Government.

Citigroup denies that the hack took place and there has been no comment from any government agency, but the report further details that the hack was discovered when officials noticed suspicious internet traffic coming from email addresses known to be owned by the Russian Business Network, a gang that has sold software used to access US government systems.  The gang had been silent for two years, but is suspected in other recent attacks.

Beyond the stolen money, a major concern is that the hackers could destroy information, wreaking havoc on the banking system or that once they have infiltrated one bank that they could use that access to get into other banks.

This further illustrates the point that I was making in the previous article that cyber terrorism is a very real threat and that our banking, communications, government and military systems are currently under assault from gangs and even the governments of other countries.

Protecting these systems must be a priority, and the efforts to do so must be coordinated, not a variety of independent efforts directed my multiple agencies.

By Juval Aviv, President & CEO of Interfor Inc, Strategic Partner of Info Defense

Mr. Schmidt is an industry veteran who previously served the Bush White House.  He was formerly the chief information security officer at Ebay, the chief information officer at Microsoft and worked in computer security for the Air Force, the Army and the FBI.  The Obama administration is the first to promote this position to the level of a White House Director.

Cyber security has increasingly become a priority in the wake of a growing number of cyber attacks and reports of vulnerabilities in business and military computing systems.  Obama was brought face to face with the issue during his campaign for the presidency when his campaign’s computer security was breached exposing critical information ranging from policy positions to travel plans.

Mr. Schmidt will be facing long running turf wars being waged among the Pentagon, the National Security Agency, the Department of Homeland Security and other agencies over the conduct of defensive cyberoperations.

He and others serving in cyber security positions will also be trying to work out how to conduct offensive cyberoperations, and what the rules and tactics should be.  One of the biggest fears in carrying out offensive attacks on computer systems is unintended consequences that damage civilian infrastructure.

In 2003 for example, the Bush administration had the technology to launch a cyber attack that would freeze the bank accounts of Saddam Hussein and cripple Iraq’s economy, giving Hussein no money for war supplies or to pay troops.  The attack never happened though because of the fear that the effects of the attack would not be limited to Iraq and would create world-wide financial havoc.  Attacks were carried out on Iraq’s military and government communications system, which resulted in cellular and satellite telephone service being shut off on the countries surrounding Iraq for several days.

I am heartened to see that the issue of cyber security is being taken more seriously by this administration and that attempts are finally being made to coordinate the efforts to protect our nation’s computer systems.  Cyber warfare has become a very clear and present danger, one that could have deadly consequences leading to a further destabilization of our country’s economy and even the loss of lives without one terrorist ever stepping foot on our soil.

The vulnerabilities of our banking, government and military computer systems, the Federal Aviation Administration systems as well as the systems that are used for general communication and e-commerce have not been addressed sufficiently to this point and those vulnerabilities have led to dangerous security breaches.

In my opinion, the one issue that must be addressed immediately, particularly for the military, is that only about 1/5 of computer chips are produced in secure American facilities.  Most computer chips, even those that are produced by American companies are produced overseas.

In fact only about 2% of the computer chips that are used in our military’s communications systems and weaponry are being produced in America.  This is a major cause for concern as chips produced in unsecured plants can be infected with malicious software or Trojan horses that allow computer criminals to pilfer information or to even take over control of the machine that is being powered by the infected chip.  Retired Army General Wesley Clark has referred to these types of infected chips as “the ultimate sleeper cell” and I agree.  Domestic production must be supported and encouraged if we are to make a serious effort at protecting vulnerable systems.

Clearly, Mr. Schmidt has his work cut out for him.  I wish him luck.

By Juval Aviv, President & CEO of Interfor Inc, Stategic Partner of Info Defense