1. 1
Reprinted with permission
THE RISK REPORT
PLAN TO PROTECT DIGITAL ASSETS
MARK LANTERMAN
October 2015
There is no such thing as perfect cybersecurity.
No matter how many millions of dollars an or-
ganization spends on information security, some
hacker, somewhere, at some time, will success-
fully break in. But this does not mean that indi-
viduals and organizations should just sit around
and wait for the inevitable. There are steps that
can be taken to minimize risk and thus poten-
tially circumvent a data breach.
This article explains some of the methods hack-
ers currently use, along with the best-practice
preventive measures to circumvent such hacks.
In addition, a case study illustrates both the risk
and lessons learned, stressing the importance
of education and developing a “culture of secu-
rity.”
Prevention Is the Best Solution
While it may be the most optimal solution, pre-
venting breaches is not simple or easy. In many
ways, organizations have to be prepared for
something that has not yet happened—they
have to forecast the future of cyber and privacy
threats. Doing so often entails poring through
mountains of data to find a needle in the hay-
stack—a piece of malware or a threat that can
compromise critical data.
Sometimes, as is clearly evidenced by the re-
cent breaches, these threats can get lost in the
noise. Furthermore, the best and worst thing
about the tech industry is that it is fast paced.
Product cycles move fast, but tech mainstays
like software updates and patches move even
faster. It takes dedicated personnel for organiza-
tions to keep up.
Add to this industry-specific software and hard-
ware, which varies greatly, each with its own
purpose and security considerations. This leads
to a diverse palate of devices and software
tools, and a consequent variety of new uses,
but is also targeted by hackers for the market-
ability of the data it collects and stores.
Nowadays, security is not just a locked shop
door. Digital breaches are robberies that hap-
pen at any hour and without warning. In some
cases, these robberies happen without any im-
mediately apparent evidence. But do not de-
spair! Being informed of these issues is the
greatest defense an organization can have. If
an organization’s network configuration and em-
ployee education program is lacking, exposure
to serious risk and liability is heightened. The
potential loss of valuable digital assets, espe-
cially client information, can result.
2. 2
Conduct a Digital Security Assessment
The prevention and detection stages of security
(those before a breach occurs) are typically in-
formed by a digital security assessment, which
goes beyond simply testing an organization’s
network for vulnerabilities. Rather, an assess-
ment allows for a more complete picture of an
organization’s security posture—focusing on poli-
cy, controls, and procedures, as well as the ef-
fectiveness of their implementation.
Tech infrastructure is often a “set-it-and-forget-it”
affair. Essentially, digital infrastructure is in-
stalled, configured, and then never touched
again. To maintain a secure digital environment,
it’s imperative to test, test, and test some
more.
Consider the Human Element
When it comes to issues of information security,
the human element is just as important as the
technology itself—perhaps even more so. Hard-
ware and software require regular human input
to make sure it is keeping up with the latest up-
dates, security patches, etc. Therefore, the hu-
man element of security is the single most im-
portant aspect to an organization’s security
posture. It can only be achieved by fostering a
culture of security, through education and imple-
mentation of a written digital use policy.
Also consider the psychology of a hacker when
assessing the role of human vulnerabilities in
determining the viability of an organization’s cy-
bersecurity practices. The term “hacker” is inter-
esting in its ability to conjure up a vague,
though widely held notion of the cybercriminal.
The vision is fairly common: a scruffy, socially
challenged individual, slouched in a swivel
chair, speedily typing on a keyboard as indeci-
pherable streams of digits race down the com-
puter screen.
Compared to other criminals, the hacker largely
remains an unknown, impersonal entity, tied in-
trinsically to a modern era of technological ad-
vancement. However, what is often forgotten is
that, although hackers are primarily recognized
for their abilities to manipulate technology, they
can be equally adept at manipulating people.
Security procedures rely heavily on human par-
ticipation and interactions. The first step of a
hacking scheme, the crucial point at which the
probability of a data breach is determined, can
(and often does) start at the human level. Un-
suspecting personnel may encounter a hacker
without even realizing it, giving them access to
sensitive data simply by offering a Wi-Fi pass-
word or log-in credentials.
It is important to recognize that, similar to tech-
nology, individuals can be prone to trusting dis-
reputable sources. A hacker is willing to take
advantage of the breadth of an organization’s
vulnerabilities; consequently, employees are just
as vulnerable to attack as technological data
sources.
On the flip side, employees can download mal-
ware without realizing it, such as through illegal
downloads or torrents of movies and applica-
tions. These unsafe browsing habits can and of-
ten do lead to a malware infection. Don’t trust
an e-mail scanning application or spam folder
to stop the messages from getting to the in-
box. A hacker’s job goes beyond exploiting
strictly digital vulnerabilities; the successful
ones look for human vulnerabilities.
Watch Out for Phishing Attacks
To assess and react to the danger humans
pose to digital security, it is important to know
what the bad guys are doing. While external
hackers have a diverse arsenal of techniques—
and even more diverse reasons for their activi-
ties—there are a few that are more pertinent, as
they can affect any employee within an organi-
zation. Hackers are often referred to as “social
engineers,” as they try to manipulate and trick
their targets to give them access.
One of the most prominent hacking examples is
“phishing.” Phishing is the process by which cy-
3. 3
berthieves are able to lure unsuspecting victims
to a malicious link that then executes malware.
These malicious links are usually presented to a
user though an e-mail message. This is when a
user unknowingly initiates the malware by ac-
cessing the malicious webserver.
Even more unsettling, though similar, is a
“spear-phishing” attack. Unlike a phishing at-
tack, spear-phishing is a directed attack. Cyber-
criminals gather information about a victim,
which is then used to construct a fraudulent e-
mail intended to trick the victim. Rather than
being obviously nefarious, these e-mails are
very realistic and tailored to the person hackers
are trying to trick.
For example, in the banking industry, a hacker
may use an e-mail message cloaked as a com-
munication from, for example, the Federal De-
posit Insurance Corporation (FDIC). Due to their
nature, phishing attacks are not problematic un-
less the link to the malicious webserver within
the message is clicked. To prevent this within
an organization, personnel need to be trained to
identify false links. Before clicking the link, “hov-
er” over it to see the true URL or, even better,
train employees to manually type in the Web
address they need to access in a Web browser.
Provide IT with the Tools It Needs
While a universal training program aimed at in-
forming all employees of their role in the securi-
ty posture is critical, it is also important to en-
sure that the information technology (IT) team
is staying on top of current advancements in se-
curity and has the resources to minimize vulner-
abilities. Often, IT people are more concerned
with making sure technology is being imple-
mented for productivity, not necessarily for se-
curity. Digital assets vary for every organization,
making specific preventive measures hard to de-
fine. In general, the prevention of attacks and
threats should be consistently audited so that a
specific information security policy can be cre-
ated and carried out within the specific context
of an organization.
As one general example, outdated and un-
patched software applications pose a serious
risk. Cybercriminals often target older outdated
software because of its longevity. That is, the
longer a piece of software is around, the more
time cybercriminals have to develop malware
based on an established exploit that will not
be, or has not yet been, fixed by the developer.
In many industries, including health care, legacy
technology is becoming a serious problem as
an avenue for data theft. Furthermore, preven-
tive measures can get expensive. An organiza-
tion’s IT team or information security team,
however, has a serious leg up on outside
threats—they know where the valuable data is.
Thorough knowledge of an organization’s infra-
structure is a considerable advantage against
outside threats. Consequently, it is worth invest-
ing in the people who know most about it—IT.
The avenues by which data can fall victim to a
remote attack are as innumerable as the
unique software and hardware contexts of com-
panies all over the world. Keeping a team that
is well equipped is a key component of a
strong security posture.
Limit Access to Sensitive Information
An often underanalyzed piece of the preventive
data security puzzle is data access controls.
More simply put, not every employee of an or-
ganization should have full access to all data.
Even in the case of IT, it is recommended that
members of the team use nonprivileged cre-
dentials for daily activities. This is a central
step to minimizing risk as it inherently reduces
the number of access points for data to leave
the confines of an organization’s network. More
privileged credentials mean more credentials
that can be compromised and used to elevate
an external threat.
In line with this, it is also crucial to consider in-
ternal threats. For example, a disgruntled em-
ployee gains access to sensitive data, steals it,
and posts its publicly online. Limiting access to
critical data on an as-needed basis can, in
4. 4
some cases, preemptively eliminate this risk al-
together. People are a company’s biggest asset
but also the biggest liability as respects infor-
mation security. Awareness and implementation
of policy is key to maintaining that “culture of
security.”
Recognize the Risks of BYOD
Security and data access controls must be prac-
ticed and applied outside of the confines of an
office as well as inside. Mobile computing has
changed everything, including how security is
maintained and adapted to reasonable policies.
It is becoming increasingly common for employ-
ees to take sensitive data home with them (on
thumb drives, laptops, phones, e-mails, cloud
services, etc.).
With respect to policy, many organizations and
their agents alike favor the cost benefits and
choice of bring-your-own-device (BYOD) permis-
sion, which allows employees to use their per-
sonal devices, particularly mobile devices, to
store and access company data. Unfortunately,
in most instances, this policy relinquishes some
defined, universal security strategy and inherent-
ly gives an organization less in the way of data
control. Standard mobile device management
tools are not typically applied and installed on
employees’ personal devices.
BYOD can also invite unauthorized connections
from an organization to the Internet. Many
smart phones offer device tethering, whereby
the phone’s cellular data connection is shared
with other devices. This type of network activity
is not part of an organization’s network, and
thus cannot be monitored for suspicious con-
nections.
Before simply accepting BYOD as a cost-effec-
tive and desired approach, ensure that policy is
clear and consequences are clearer. If BYOD is
implemented, do so in such a way that the or-
ganization maintains a modicum of control.
Also, take legal ramifications under consider-
ation and determine whether there are special
regulatory concerns particular to a certain in-
dustry that need to be worked into BYOD and
mobile computing policies. In some industries,
such as health care, a lack of central data secu-
rity policy and control opens up serious liability
risks.
There is another breach risk associated with
BYOD—physical device theft. This is becoming
less of a problem with certain devices (ahem,
Apple), but it is nevertheless important to con-
sider in a fragmented situation where an orga-
nization uses software and hardware from a
number of providers and manufacturers. For in-
stance, in the healthcare industry, data breach-
es that affect 500 patients or more must be re-
ported to the U.S. Department of Health.
Perusing the listing of breaches, the downside
to the convenience of mobile computing is ap-
parent—hundreds of incidents involving stolen
physician laptops and phones. Compliance pro-
fessionals cringe.
If an organization must allow for remote and
mobile solutions, again, it is important to con-
sider the regulatory responsibilities of an indus-
try. Regardless of industry best practices for
mobile devices, it is critical to keep the data
they store encrypted so that a thief is unable to
access sensitive data. It’s critical never to fall
into a false sense of security, and never rely en-
tirely on it.
Look Beyond Employees
Data control goes beyond just employees. Rath-
er, it extends to include any entity that can
store, access, or use a company’s sensitive da-
ta, including third-party vendors. Develop con-
tracts that protect the organization, particularly
those that use third-party vendors. Third-party
vendors can introduce security lapses and vul-
nerabilities, and might not hold themselves to
the proper and necessary digital risk standards.
Not doing so can result in a digital catastrophe.
This is best evidenced by the example of the
devastating credit card breach experienced by
5. 5
Target in late 2013. Target seemed to have the
appropriate controls in place with dedicated IT
and security appliances. Thinking that every-
thing was fine with its security practices, man-
agement overlooked one critical issue. Target al-
lowed an outside heating, ventilation, and air-
conditioning (HVAC) service vendor to connect
to the same network responsible for point-of-
sale device Internet traffic. Again, this is an ex-
ample of good technical security measures be-
ing rendered ineffective because of lapses with-
in the human element of security.
Like Target, there have been other breaches
that can be traced back to failures to audit
third-party vendors, such as the Boston Medical
Center and Goodwill. Often, smaller third-party
vendors are a sort of hacking “stepping-stone”—
compromise their information to get to their
larger clients that have more valuable data. This
is especially true today, as even the smallest
companies have a digital presence. Once again,
a company can have all the proper controls in
its own offices, but sensitive information with
its vendors could be compromised.
To mitigate third-party risk, ensure that appropri-
ate parties, especially legal departments, are in-
volved with the outside vendor hiring process
and that audit rights are guaranteed and pro-
tected by contracts. That means including audit
clauses to contracts to allow the organization to
regularly monitor and check that vendors are in
compliance with any generally accepted or nec-
essary standards. Cybersecurity is now a reality
and must be included in the outside contracting
process.
Don’t Overlook the Importance
of Data Backups
In addition to the risk of compromising data,
loss of data entirely can be even more devastat-
ing. While most large corporations can afford to
keep their sensitive data in multiple locations,
others cannot. Irrespective of the size of an or-
ganization, individual workstations can contain
important client data that should be regularly
backed up. Furthermore, no matter how many
backups an organization maintains, it is impor-
tant to not get bogged down by the sheer vol-
ume and always prepare for the absolutely
worst—a hurricane, tornado, or some other nat-
ural disaster that could destroy an entire organi-
zation’s data in one fell swoop.
But, data loss can happen in other ways most
people don’t expect. A couple of months ago, I
got a call from a local government agency that
had a horrible rash of “ransomware.” Ransom-
ware is malware that seeks to exploit victims by
encrypting their files. It is downloaded acciden-
tally by clicking on a link in a pop-up or through
a “phishing” e-mail. Once executed, the user is
notified that their files have been locked be-
cause they committed a crime, and that they
must send money for the decryption key within
a certain amount of time or their files will for-
ever be inaccessible. Unfortunately, paying the
“ransom” usually will not unlock the files, but
only serves to line the pockets of the extortion-
ists. In this particular case, the local agency did
not consistently keep a backup of its data, and
months of work was lost. This new ransomware
infection prompts reflection on something that
is still overlooked as a serious risk to daily busi-
ness activity—data backups, offsite or otherwise.
Develop a Security Culture
It is important to audit all controls to prevent at-
tacks incurred from external and internal
threats. Make sure that these controls are in
place, effective, and attempt to penetrate your
organization’s digital infrastructure. There
should be a layered approach to information se-
curity. In other words, organizations should not
only have a digital fence, but also a locked
front door. In addition to simply having “locks”
and “fences,” make sure there is a policy infor-
mation session that effectively teaches people
how to keep the gate closed and the door
locked.
Incorporating these provisions into policy, and
more importantly, executing that policy through
6. 6
employee training programs, moves organiza-
tions to a stronger security posture. Creating
the atmosphere for effective security is just as
important as the security practices themselves.
Hope for the Best, Prepare for the Worst
Striking the key balance between costs and
preparation is something to consider, but it is
always a good investment, and is usually much
cheaper than the fallout of a breach. When it
comes to security, prevention certainly is the
first choice.
But, what happens if all the preventive mea-
sures are taken and incorporated into policy,
but an organization is still breached or data is
lost? As previously stated, technology is fast
paced, and cybercriminals can be one step
ahead of the latest preventive security mea-
sures. One of the primary reasons for their per-
sistence is because a targeted organization’s
data is exceedingly valuable. In recent history,
credit cards have been an obvious target for
the clear monetary value they carry. These
breaches have dominated the headlines and are
an unfortunate side effect of our increased reli-
ance on credit technology’s conveniences.
Recognize the Value of Data
Not dissimilar from the recent credit card
breaches, hackers have consistently and specifi-
cally targeted health data over the years be-
cause health data is valuable—it can be used to
gather intel about specific people or as a tool
for identity theft. It has also historically not
been the most secure. Patient names, birth
dates, billing information, and health histories
have the potential for complex identity theft and
medical fraud schemes.
More importantly, though, this data has a mar-
ket on the “Dark Web” outside of those who
are responsible for stealing it. To illustrate the
Dark Web, Google indexes approximately 17
percent of websites where most people typical-
ly dwell online and do their browsing, shop-
ping, and other online activities. But, below the
Internet’s surface lurks the Dark Web, where
criminals market a variety of different goods
and services, from passports and drugs to
“rent-a-hacker” services for the purposes of
messing up someone’s life. Thanks to the Dark
Web, stolen client data of all kinds has a mar-
ket, therefore increasing its appeal to be stolen
in the first place.
Even if an organization conducts an audit of all
security controls and policies, a new exploit
could be found the next day, rendering a clean
bill of security health void.
Case Study Illustrates the Risk
The following case study illustrates the point
that employee education is key. About a year
ago, I was contacted by a large corporation
claiming that its systems were compromised,
and that an unauthorized $1 million wire
transfer was initiated, sending the money to
Russia. Management suspected that this was
an inside job carried out by one of their em-
ployees. As they had spent hundreds of thou-
sands of dollars on security appliances, they
thought something like this could not possibly
happen to them—they were proactive and will-
ing to invest the resources in security. How-
ever, a review of their infrastructure revealed a
lapse. They adopted a “set-it-and-forget-it” atti-
tude. There was no “culture of security.”
Thinking their appliances would not allow such
a thing, spam e-mail got to an employee’s
workstation. That individual clicked a link and
initiated “Zeus” malware. While the hacker’s
toolbox is expansive and variable, there are cer-
tain tools worth mentioning, one being Zeus.
Zeus, when executed, monitors an infected
computer for certain types of user activity, in-
cluding online banking. In some cases, it often
remains dormant until a user accesses a finan-
cial services or banking website.
Once Zeus identifies the targeted activity (such
as banking), it will then collect confidential data
7. 7
to include a log of all keystrokes and screen-
shots. This compromised data is then transmit-
ted to the hacker. In this case, a security token
was inadvertently left plugged in. Hackers had
everything they needed, and set the software to
wait for banking credentials. After that, all they
had to do was log in and initiate the transfer.
If that story teaches us anything, it is again
that these lapses can and do happen even
when the victims think they have a great secu-
rity posture. Fortunately, that company made
the right choices in handling its breach of secu-
rity; management acted quickly, hired profes-
sionals, and assembled the narrative to attempt
to get their money back and carry out due dili-
gence for the safety of their customers’ infor-
mation.
Lessons Learned
More often than not, though, incidents come
unexpectedly and organizations are not ade-
quately prepared for the worst. Officers and
employees often do not have a clear picture of
the chain of command, nor the roles and re-
sponsibilities in the face of a breach. This can
lead to increased exposure to media and public
relations fallout and executive meltdown.
While designing preventive policy, try to design
a policy or incident response manual that effec-
tively prevents operational shutdown in the
case of a breach and allows for quick, decisive
action. And be sure you have the right contacts
to respond to such an incident. Be ready for
the inevitable, even if it seems impossible.
Whether the organization has in-house or out-
sourced IT, it is typically best to bring in an un-
biased, third-party for putting the narrative of a
breach together. This limits the risk of an IT pro-
vider perhaps underemphasizing a breach, as
they have an interest in keeping business. Fur-
thermore, many IT departments are not properly
trained or equipped to analyze and uncover new
FIGURE 1
ZEUS ATTACK DIAGRAM
Account
Takeover
Dissecting
an Attack
Initiate
Funds
Transfer
5
Criminals target victims
by way of phishing or
social engineering
techniques
The victims
unknowingly install
malware on their
computers, often
including key logging
and screen shot
capability
The victims visit
their online banking
website and log on
per the standard
process
The malware collects
and transmits data back
to the criminals through
a backdoor connection
The criminals leverage
the victim’s online
banking credentials
to initiate a funds
transfer from the
victim’s account
Dissecting a Zeus Attack
Source: Joint Fraud Advisory for Business: Corporate Account Take Over by USSS, FBI, IC3 and FS-ISAC.
1
Target
Victims
Install
Malware
2
Online
Banking
Collect &
Transmit
Data
4
3
8. 8
threats and malware. IT people are often more
focused on implementing technology for ease of
use and convenience, not security.
Specialists are able to assemble the narrative,
from initial exploit, threat elevation, and the
context of data that was ultimately compro-
mised. Armed with such information, an organi-
zation is better able to prevent a similar attack
from happening in the future, but also have a
clear picture of how to handle other tasks relat-
ed to the breach, such as client notification.
Breach notification often goes undiscussed. Fur-
thermore, the responsibility of organizations to
notify their clients, partners, and other parties
about a breach varies from case to case and
from industry to industry. In certain industries,
federal and state regulations are the rule, but in
others, it is solely up to the discretion of execu-
tives. In responding to the public, or proactively
notifying clients, it’s best to wait until a full in-
vestigation is complete. It is important to know
that there is a huge difference between an in-
fection, or abnormal Web traffic, and a data
breach—just because there is evidence that at-
tackers tried to gain access does not mean
they did so successfully. Moreover, even if hack-
ers steal data, the type of data is central to the
notification proceedings.
Oftentimes, organizations that suspect a breach
will jump the gun and notify their clients before
an investigation is complete. In the end, some-
times nothing serious happened—no confidential
data was lost or stolen. Notifying clients before
knowing there is a legitimate problem is, in and
of itself, a huge risk. Understand that some cli-
ents might not be comfortable continuing busi-
ness with a company that disclosed a breach.
Organizations need to do themselves a favor
and rule out the possibility of a false alarm first.
That said, it is important to incorporate client
notification as part of the defined incident re-
sponse plan. It is always best to be proactive,
but to not unnecessarily inform clients or au-
thorities until it is known that a serious breach
definitively happened.
Once a thorough investigation has been com-
pleted, and in the unfortunate case that person-
ally identifiable information was stolen, it is im-
portant to work closely with legal professionals.
Cybersecurity is very much a legal issue, with
unique legal considerations. As previously allud-
ed to, there are regulatory considerations that
vary greatly between industries and states—for
now. Until there is an overarching federal regu-
lation that applies the same requirements of all
industries, and defines the type of data that
must be stolen to report, the current compli-
ance and digital security laws remains the law,
and it is a patchwork.
Furthermore, even after the narrative of a
breach is assembled, the costs (both tangible
and intangible) are hard to quantify. As such, it
is also worth discussing with legal an invest-
ment in cyberliability insurance. Successfully
mitigating the fallout of a breach and minimiz-
ing related costs requires harmony between ev-
eryone, but especially human resources, IT, and
legal departments.
Similarly, after an incident, education is still the
most important aspect of preventing another
breach. Take an incident or a breach and use it
as a valuable learning opportunity. After a secu-
rity breach investigation, walk employees
through every detail of what happened, pin-
point what the failures were, and, most impor-
tantly, learn from the event and prevent the
same thing from happening again. No one indi-
vidual can be held responsible for a breach in
security; the entire team is responsible.
Conclusion
Preparation is key in any prevention strategy,
and optimal security always starts at the hu-
man level. Best security practices are just that—
practices. Security measures are always a work
in progress and reflect the constant stream of
new technology. It takes time to discover, learn,
and implement the best methods. Ongoing edu-
cation within this “culture of security” is imper-
ative in trying to implement the best possible
9. 9
procedures. In this case, knowledge truly is
power.
MARK LANTERMAN
ComputerForensic Services
www.compforensics.com
Mark Lanterman is chief technology officer for Com-
puterForensic Services in Minnetonka, Minnesota.
Prior to joining CFS, he was a criminal investigator
with over 11 years of law enforcement experience.
In addition, he has successfully led thousands of fo-
rensic investigations, collaborating and supporting
large legal organizations, corporations and govern-
ment entities, having given expert witness testimony
in over 2,000 matters. Mr. Lanterman is a sought-af-
ter speaker, conducts over 40 continuing legal edu-
cation classes annually, and is an adjunct professor
of computer forensics. He provides frequent com-
mentary about cyber and privacy security issues for
national print and broadcast media, including ABC,
Al Jazeera, Bloomberg, BusinessWeek, CBS, FOX
News, NBC, The New York Times, NPR, and The
Wall Street Journal.
Mr. Lanterman received his bachelor’s and master’s
degrees in Computer Science from Upsala College
and has received many security certifications and
training certificates, including from the Department
of Homeland Security and the National White Collar
Crime Center. He has authored “What You Don’t
Know Can Hurt You: Computer Security for Law-
yers,” Bench & Bar of Minnesota; “Elephant in the
Room—Case Studies of Social Media in Civil and
Criminal Cases,” Next Generation; and the eDiscov-
ery Law and Tech Blog.
Mr. Lanterman can be reached at mlanterman@
compforensics.com.
* * *
Reproduced from the October 2015 issue of The Risk Report. Opinions expressed in this article are those of
the author and are not necessarily held by the author’s employer or IRMI. This content does not purport to pro-
vide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with an attor-
ney, accountant, or other qualified adviser.