In October 2017 InteliSecure were performing penetration testing activities for an important client.  One of the tasks involved performing tests against the client’s E-Mail content analysis systems. Various types of E-Mail were sent with attached executable files compressed and encrypted in various ways. These were blocked by the content analysis device, Cisco® Email Security Appliance (Cisco® ESA), previously known as Ironport.

In addition, E-Mails were sent with several types of malformed MIME formatting with executables attached in non-standard ways. One of these E-Mails passed by the executable blocking rules, which was reported to be an E-Mail without an attachment by Cisco® ESA, was accepted as a valid E-Mail with an executable attachment by Microsoft® Outlook. It was found that various other types of file could be sneaked past Cisco® ESA using the same method.  Interestingly, if the malicious email was then forwarded outside the organisation via Cisco ESA the same executable was blocked.

Whilst the CVSS3 score given by Cisco® in their advisory in August 2018 was 5.3, based on a minor integrity weakness in Cisco® ESA, the impact of this vulnerability could be greater given that malicious E-Mail is used to proliferate malware infected files, such as Trojans, Viruses and Ransomware. The exponential growth in E-Mail borne attacks has been observed since the beginnings of the Security Industry and is continuing to grow given the ease with which new malware can be developed using tools available on the Dark Web.

Cisco® ESA versions 10.0.0-203 and 11.0.0-264 are known to be affected however, Cisco has listed the issue as ‘Fixed’ but has not indicated where updated ESA software can be downloaded.

One interim workaround may be to create custom rules to looks for strings like ‘.exe’, ‘.com’, ‘.dll’, ‘.ps1’ and block E-Mails matching those however, due to Microsoft CreateNewProcess API executables with non-matching extensions may still execute.

InteliSecure recommends ensuring that endpoint security and Anti-Virus products be kept up to date. Application white listing should also be implemented so that users can only execute authorised executables. Additional Intrusion Detection or Intrusion Prevention devices could also be considered. To defend against ransomware, InteliSecure recommends that offline backups be taken of all important data.  If an incident occurs, backups should be scanned to ensure that files are not infected before they are restored.

Please refer to the Cisco Advisory for further information: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh03786

InteliSecure would like to thank our client for allowing us to pursue this vulnerability to try and encourage a fix to be produced.

InteliSecure would also like to thank the Cisco® developers and PSIRT for dealing with this issue rapidly.

If any organisations are unsure whether their Cisco ESA system is vulnerable InteliSecure would be happy to discuss this issue further.

In AT&T’s 2017 Global State of Cybersecurity survey, 28% of respondents saw cyber insurance as a replacement for cyber defenses. Part of the issue is frustration with the apparent lack of effectiveness of cyber spend in reducing the prevalence in incidents, while part of the issue is a desire to make this problem someone else’s problem. But the fundamental issue is actually a misunderstanding of risk management.

Risk Management

One of my favorite similes in Information Security is that risk is like energy, it cannot be created or destroyed, rather, it simply changes forms. Risk has four forms of treatment: acceptance, avoidance, mitigation, and transference. All risk, whether identified or unidentified, falls into one of the four categories. Information Security is a risk mitigation strategy and cyber risk insurance is a risk management strategy. Therefore, if you were to ask me if you should mitigate risk or transfer risk, my answer would be “Yes”. You should do both to varying degrees, and the proper amount of investment in each is dependent on the risk profile of your organization, but asking whether you should do one or the other indicates a misunderstanding of risk and risk treatment. Therefore, even though most readers are likely familiar with the terms defined below, it is clear that understanding of these terms is not ubiquitous.

Risk Acceptance

This is the default strategy. If you were to do nothing at all to identify or treat the risk in your business, risk still exists. Consequently, ignorance of risk is de facto acceptance of that risk. Put another way, in order to apply any risk treatment strategy other than acceptance, the risk must be identified and treated. If risk isn’t identified, the vast majority of risk is automatically accepted. Risk acceptance isn’t necessarily bad, so long as it is identified and consciously accepted by someone who has the authority to accept the level of risk on behalf of the organization. I often tell people that CISOs that get in the business of accepting risk on behalf of the organization are the reason why the average tenure of a CISO is so short. Some minor risk can be accepted by the business units, but risk acceptance is generally the domain of the CEO.

Risk Avoidance

Risk avoidance is sometimes popular in organizations with limited resources because it has no direct cost. This strategy essentially says if something is risky, we will simply not do it. The classic example of Risk Avoidance is turning off USB access for all employees because you are concerned sensitive data will leak. A risk mitigation strategy for loss of sensitive data is to deploy a Data Loss Prevention technology, but those technologies may appear to be expensive to deploy and maintain, so the organization instead chooses to disable a core capability of their organization’s computing environment. While disabling the capability may not have a direct cost, there is often a significant opportunity cost manifested by lost productivity in doing so. Since risk avoidance is generally accomplished by limiting features of the IT environment, risk avoidance or the lack thereof is likely the domain of the CIO. While risk avoidance can be a problem from an opportunity cost perspective, it is often more of a problem when a CIO deploys a change or a technology that deprecates the avoidance of a risk without working with the CISO to mitigate that risk and instead accepts the risk on behalf of the CEO. This is a recipe for disaster that manifests itself time and again.

Risk Mitigation

The entirety of cyber security falls into risk mitigation. Everything the CISO does is a mitigation strategy whether the solutions he or she deploys are people, process, technology solutions or any mix of the three. It is notoriously difficult to quantify risk mitigation as it is hard to quantify what didn’t happen but likely would have happened if a specific control was not in place. However, since risk does not get created or destroyed, it is much easier to quantify accepted or avoided risk. Looking at risk mitigation as movement from one of the other categories allows an organization to quantify risk in their environment and therefore define the benefit of the aggregate of their risk mitigation strategies against their cost.

Risk Transference

Risk Transference is the classic insurance use case. The problem with risk transference is that you can only transfer risk for the direct costs associated with an incident. While this is a minor problem for insurance products like home and auto, it is a major issue for cyber risk insurance given that a full 66% of an average breach in the United States is categorized as an indirect cost. Put another way, if you are one of the 28% of companies that use cyber risk insurance as a replacement for cyber defense, your best case result is that you have transferred 34% of your risk and accepted 66%. In reality, you have likely not identified and transferred all risk factors, so you are likely accepting upwards of 80% of your risk. If you are the CEO and highly risk tolerant, this might be an acceptable strategy, if you are not, you likely don’t have the authority to make such a bold decision. Because risk transference is a strategy that is generally associated with buying down identified risk, it is most often the domain of the CFO.

The Genius of the AND

Jim Collins is an influential author of business philosophy books who has a multitude of quotable sayings, but one of the concepts that he is known for is the tyranny of the OR and the genius of the AND. This is applicable to risk management in a profound way. Those that are asking if they should buy a cyber risk insurance policy OR deploy cyber defenses are asking the wrong question. Essentially, a healthy organization should have Risk Mitigation strategies AND Risk Transference strategies AND Risk Acceptance Strategies AND likely some Risk Avoidance strategies. Ultimately, the quantity of risk and the likelihood that risk materializes are the factors that should go into the calculation of a Risk Transference premium, so it could be argued that Risk Transference should be the final strategy deployed in order to avoid accepting risk that cannot be mitigated or avoided. Unfortunately, too many organizations are trying to finish before they start and leading with the end.

Conclusion

While all four risk management strategies are important to treat risk in an organization of any size, it is important to ensure we do not allow frustration to prevent us from deploying sensible risk mitigation strategies. The truth is there is no easy button. That includes cyber risk insurance. It’s true that cyber risk insurance is a relatively immature market, but regardless of how much it matures, it will always be a part of the equation of how to treat risk and not the answer. Just as light energy and heat energy are inextricably linked, risk mitigation, risk transference, risk avoidance, and risk mitigation will always be components of a sensible risk mitigation strategy. The proportions of each will vary by organization, but they will all be omnipresent. So the answer to the question of whether an organization should buy a cyber insurance policy or build a program to mitigate as much risk as possible, is “Yes!”, and it always will be.

Corporate espionage is one of the least understood and most downplayed elements of cyber security. Most people focus on massive breaches involving personal or financial data and that the majority of these breaches are discovered by someone other than the victim organizations. The reason this happens is because the personal data is often sold on illicit marketplaces. Would we ever know the breaches occurred if the information was not sold on the open market? This is the situation that exists in the case of corporate espionage.

According to a recent study commissioned by Bromium unveiled at RSA Conference 2018, cyber crime generates $1.5 trillion per year. If cyber crime were a country, it would have the 13^th highest GDP in the world. Based on media coverage and regulations being passed around the world, you would think that regulated data would make up the majority of that revenue, but you would be wrong. Theft of trade secrets and intellectual property accounted for $500 billion dollars or a full third of overall cyber crime, while regulated information accounted for $160 billion or just over 10%.

Back in 2004, a study unveiled at the London Infosecurity Summit indicated that, “more than 70% of people would reveal their computer password in exchange for a bar of chocolate”. The world has changed since then, and most employees are more aware of security in general. Assuming your organization has an access control and entitlement review process, and knows where every copy of critical data is stored, you would not grant access to someone who would trade their password for a candy bar. What if the stakes were much higher? Would your employees trade your secrets for $1 million or $10 million? What if they weren’t asked to actually deliver information or give away their password? What if they were told to simply click on a phishing email and plead ignorance?

A Lack of Awareness

Most organizations use regulation compliance to fund their data security initiatives. Therefore, most programs have an outsized focus on compliance initiatives rather than objectively valuing the data their organization holds. They don’t perform a risk assessment against that data and prioritize security based on that risk assessment. If theft of trade secrets and intellectual property is three times more economically impactful each year than theft of regulated data, why are organizations so much more concerned with protecting regulated information than intellectual property?

There are likely many reasons for this, beginning with the simple lack of awareness. Most intellectual property thefts are conducted in secret with a buyer or state sponsor identified before the theft occurs. Stolen regulated data is often sold on a marketplace and there are far fewer requirements of an organization to publicly disclose the theft of intellectual property. Regardless of the reasoning, this lack of awareness helps to drive increased intellectual property theft as this information is simply not as well protected as regulated data. In the last seven years I’ve noticed most organizations fund their initiatives through a compliance need and many programs begin with protecting data even when significantly valuable intellectual property is owned by the organization. Many organizations never shift from regulated data protection to intellectual property protection, resulting in more theft of intellectual property.

In actuality, if compliance is the driver for security spending in an organization, that organization’s security team has ceded their organization’s cyber security strategy to lawmakers. That is a truly scary proposition. Lawmakers, in most countries, are not cyber security experts. This is not an indictment of lawmakers. Most of them did something else before they were in government. If you were a doctor and a lawyer who won an election and were suddenly expected to be an expert setting public policy on technology and cyber security, you would likely struggle to become an expert over night as well. Therefore, developing a security strategy driven by compliance means an organization will always be behind the curve and likely unprotected.

Sophisticated Actors and Insiders

Regulated data is generally stolen using commoditized tools and by criminal organizations that range from unsophisticated actors to reasonably sophisticated actors. However, intellectual property is often stolen by well-funded and sophisticated actors who often leverage insiders to bypass externally-facing corporate defenses. Firewalls and deception systems, while very good at making it difficult for a true external actor to find what they are looking for, do not help address the insider threat. Insiders generally know exactly where the data they are looking for is located and, by definition, must be able to access it in order to do their jobs. In order to address the threat posed by these actors it is imperative that organizations monitor the movement of the data itself as well as the behavior of users. Advanced endpoint protection platforms employing machine learning to detect advanced malware are similarly useless against an insider as that person is not likely to deploy malicious code to steal data. The truth is many of the products CISOs are spending their budgets on and their time pursuing are useless against one of the most common tactics used to generate 1/3 of cyber crime’s overall revenue.

The insider threat is an inconvenient truth, we’ve all heard of it and know it exists, but no one wants to believe their friend or colleague is going to act maliciously. The truth is people do. There have been recent high profile cases that illustrate this concept such as Waymo vs. Uber, but it stands to reason that there are many others that are not discovered or never reported. This is certainly not the first time Uber has been accused of stealing intellectual property from their competitors. In fact, a recent article from Marketwatch reports that, according to a lawsuit, “Uber Technologies Inc. operated a clandestine unit dedicated to stealing trade secrets.”

Another article in CNN Money details the story of American Semiconductor. American Semiconductor is a company based in Massachusetts who recently won a lawsuit against its former Chinese partner Sinovel, which was convicted of stealing American trade secrets in a US Federal Court.  The short version of the story is that American Semiconductor began doing business in China with Sinovel as a supplier of components to run wind turbines in 2007. In 2011, Sinovel did not pay American Semiconductor outstanding invoices and canceled orders that were ready to be shipped. Upon investigation, it was revealed that an employee at an American Semiconductor subsidiary was offered $2 million to turn over American Semiconductor’s source code for its wind turbine control software. There were even Skype conversations uncovered between the bribed employee and Sinovel telling Sinovel that once they had this source code that they could separate from American Semiconductor. American Semiconductor had a stronger than average security program to protect against attacks from the outside, however, the failure to monitor user behavior and data with respect to trusted insiders, nearly cost them their company.

Think of all of the people inside your organization who have access to critical intellectual property and trade secrets. Not just the few in the middle of the inner circle, but every person involved in storing, processing, or transmitting that information. Assuming the concepts of least privilege and need to know are enforced, this is still likely to be at least ten people. Most organizations would probably admit that they do not implement least privilege well and very few CISOs would stake their reputation on a bet that there are not overly permissive systems and file shares in their environment. As a result, in most organizations, there are more users that can access information than there are users that absolutely must in order to perform their job functions. As a result, privilege misuse, or users accessing data they have no legitimate need to access and then leaking that data, is the second most common incident type in Verizon’s 2018 Data Breach Investigations Report. It accounted for over 20% of total incidents in 2017 and is therefore the most common method through which data is breached, ahead of more publicized incident types like crimeware (#3) or payment card skimmers, which are often talked about, but are by far responsible for the fewest incidents. Due to the fact that most organizations do not implement and maintain stringent access control policies, and most organizations employ relatively flat, non-segmented networks, think of the number of people in your organization who could potentially access such critical information.

Fredrik Lindstrom, Manager CIO Advisory at KPMG, was quoted in a CIO magazine article saying, “Network segmentation, or splitting a network into sub networks, is the best way to phase out outdated security approaches. Unfortunately, it is also one of the most neglected parts of a cyber security program, because most organizations believe network segmentation is too complex and cumbersome.”

Conclusion

In the face of these odds, how can an organization possibly protect themselves? They could start by monitoring the data that matters most and also analyze the behavior of users and credentials against baseline behavior. No data theft can happen without a change in behavior of the data and the user. This is true whether the threat is external, a zero-day exploit, or a trusted insider. The problem is, this requires an organization to admit that the insider threat is real, could affect them, and commit to the hard work required to protect their critical data assets. People naturally gravitate to easy solutions such as technologies that can be deployed with little thought or attention. Fewer people want to do the hard work of building a program to protect critical data and address insider threats.

While it is unpopular to admit that your friends and neighbors may be the people most likely to put critical data at risk, and far more difficult and time consuming to build a security program that takes critical data assets and user behavior monitoring and analytics into account, the consequences for not doing so can be catastrophic. American Semiconductor is not alone, there are many other cases like it that never end up in court and never publicly disclosed. This silence is part of the problem with awareness about these types of challenges. There is hope, however. I have many stories that I cannot share due to confidentiality agreements where properly built and maintained security programs thwarted similar attempts to steal and capitalize on intellectual property theft. These things are happening. Don’t ignore the facts. It’s time to protect your organization. You don’t need to wait for the government to tell you that you must.

Join InteliSecure, Forcepoint CISO Allan Alford, and Forcepoint VP of User & Data Security, Guy Filippelli, for a breakfast briefing highlighting cross-platform intelligence at RSA 2018. Learn more here.

RSA 2018 will undoubtedly include a raft of announcements related to new point products or new capabilities from existing products. In fact, for the past decade or so, the major disruptions in the technology space have come from start-up companies introducing new functionality in the form of point products. Most of those start-ups either diversify their portfolios to the point they can reach an IPO or they are acquired by large general security technology providers like Symantec or McAfee. This has led to the proliferation of a wide array of security products in many enterprises that have complimentary capabilities but do not integrate well with each other, even when they are owned by the same company.

As a result, we have seen vendor fatigue and the challenges posed by swivel-chair analysis; analysis done by personnel having to move from one security component to another to try and identify patterns and truly understand what is going on within their IT environment. This vendor fatigue, combined with a global shortage of qualified security personnel, has led to demand in the marketplace for security platforms rather than a collection of point products. We are starting to see the marketplace demand platforms that not only integrate well with other security products inside the vendor’s portfolio, but also products provided by innovative startups.

However, integration of point products with each other is often still limited to simply seeing cross-platform information through a “single pane of glass”. While this is a positive development, gathering intelligence from one product and applying lessons learned to another technology has largely been a human-driven effort. This can be seen especially around integrating User and Entity Behavior Analytics (UEBA) with other security technologies such as Data Loss Prevention (DLP). Given the talent shortage, companies either struggle with the ability to truly correlate this information in an intelligent way, or they are forced to turn to a Managed Security Services Provider (MSSP) like InteliSecure to fill the gaps and become the connective tissue these security technologies lack. Although many of these MSSPs possess the expertise to execute programs in this fashion, relying on human correlation is expensive and time consuming. Decisions cannot be made in real time and there is always a lag time between information being gleaned from one technology and applied to another.

The future of security technologies is automation. Not necessarily automation of response, although orchestration and automation technologies are compelling, but rather automating the intelligence being gained from one platform and applied to another. Today’s tools are able to provide insights into risky an anomalous behavior when it comes to data protection, but the forensic nature in correlating internal and external activities to identify threats can often take hours, weeks or months. New platform-based integration and intelligence will be able to identify threats quickly and effectively, without the delays seen today.

At the beginning of this blog was an invitation to a breakfast briefing being held at RSA 2018. Forcepoint is one organization building a comprehensive security platform that automates intelligence from different sources and a leading innovator in Data Security and User Behavior Monitoring. They will be announcing significant innovations on the Tuesday at the conference. The briefing during breakfast on Wednesday will let you see the innovations in action as well as allow you to ask questions of their CISO and members of their development team.