Leadership
Ryan Willett
How do we decide to reopen America for business?
How do we decide to reopen America for business?
Leadership
Jason Wang
Survival Strategies for Startups

Information Security

,

Disinformation in a Divided World

,

A conventional wisdom has emerged since the election of Donald Trump in 2016 that new technologies and their manipulation by foreign actors played a decisive role in his victory and are responsible for the sense of a "post-truth" moment in which disinformation and propaganda thrives.


As part of our Reality Check Series’ Cypress River Advisors will host a series of talks in Japan and Taiwan with Hal Roberts, co-author of Network Propaganda, from Harvard University’s Berkman Klein Center for Internet & Society. These fireside chats will be held at the end of July.

Network Propaganda is the most comprehensive study yet published on media coverage of American presidential politics from the start of the election cycle in April 2015 to the one-year anniversary of the Trump presidency. Analyzing millions of news stories together with Twitter and Facebook shares, broadcast television, and YouTube, the book provides a comprehensive overview of the architecture of contemporary communications. 

Various stakeholders will join us at the talks where we will examine how to diagnose the sources of, and potential solutions for, the perceived global crisis of democratic politics. If you are a regulator, telecom operator, broadcaster, social network or social network platform manager seeking to understand the complexity of the networked propaganda, contact us at inquiries@cypressriveradvisors.com.

Cyber Security is a C-Suite Problem, including the CEO

It is more important than ever for the C-suite (most importantly the CEO to understand) and build an information security culture to protect customers and shareholders. To put it more bluntly, it’s more than just an audit of the IT department you conduct once a year. As you read this sentence, customers of Marriott Hotel Group are still recovering from a 300 million user account breach which may have also included passport information. The data aggregation firm Exactis left 340 million records exposed on a publicly available server. In 2016, the Mirai botnet attacked Deutsche Telekom’s routers. At one point, Reuters reported 4.5 percent of DT’s fixed line customers did not have service. You are probably wondering why Cypress River Advisors, a strategy firm, would raise this issue.  Traditionally, the boardroom has treated information security as the domain of the CTO, the problem is:

Cybersecurity is a CEO problem not just a CIO/CTO problem. So what to do about it?

Accept the Reality

We are all affected by asymmetric warfare techniques by governments and hackers seeking economic gain. Our financial livelihoods and futures are all connected whether we want to be or not. Outsourcing information security may shift some of the liability but at the end of the day, customers will hold you and your brand accountable.

The Basics: the CIA Triad

As markets evolve so does corporate business strategy.  The same must apply to a companies information security posture. Except now, it needs to be factored into your business strategy.  You want to leverage cloud computing resources? Check and balances need to be put into place to ensure updates don’t break the CIA Triad. The CIA (confidentialityintegrity and availability) triad, guides management thinking about the deployment and operation of new services. As more product and services incorporation cloud-based or the internet of things, so must your business planning, operations and partnership arrangements. The CIA triad also defines the customer relationship.  The consumer, regardless of the terms of service, has an implicit expectation that their data to be always safe and secure.

Threat Models

Today, the attack surfaces stretch far beyond the firewall and anti-virus software. Mobile devices, cloud infrastructure, messaging platforms, your Internet of Things, even your IP-based security cameras are in play as well. Anything that is connected to the internet is fair-game, that also includes: you and your employees.

Consider the Target compromise. Hackers breached an external vendor that supported Target’s HVAC system via a phishing attack. Phishing is still one of the most popular means to social engineer the weakest link in an organization: humans. People make mistakes. It is in our nature. Using stolen credentials, they gained access to Target’s web systems which were in turn connected to a point-of-sale system. Whoops! Target is now on the hook $250 million dollars of hack-related expenses.

In a related vein, Consider a nightmare scenario. It is not uncommon for a management team to use WhatsApp to communicate with other team members. Breach one messaging account, breach all in the chain. WhatsApp and other social networking messaging software rely on SMS 2-Factor authentication. Last year, NIST, the National Institute of Standards and Technology, the body that creates national-level guidelines, considers SMS based authentication no longer effective. (I’d provide you the NIST link but apparently due to the shutdown their website is also down. Here is a TechCrunch article that covers the issue.)

Accept the reality your adversary can and will be creative.

Operational Business Practices

Ask your dev team, it is incredibly hard to build in security after the fact. In October 2016, the Mirai botnet attacked the Oracle subsidiary: DYN. Poorly secured IoT devices, specifically DVRs and IP cameras made by an OEM supplierdisrupted affected internet services on the eastern seaboard of the US.  Companies white labeling or incorporating XiongMai Tech’s hardware and software products definitely felt the impact at the bottom line.

My personal nightmare scenario is a product using biometric security is rushed to market, but the software wasn’t appropriately implemented. Why does that scare me?  If someone can successfully hack the endpoint device and recover their biometrics, they have keys to the kingdom.  You can’t revoke your fingerprint unless you cut your finger deep enough to scar it.  Perish the thought if your voice or eye was used as a biometric authentication factor.

Instilling Culture

How do you solve this problem? It isn’t with more tech.

Information security is fundamentally a people problem. It is not just a software configuration or hardware design issue. Humans are infinitely easier to hack and doesn’t require any tech.  Kevin Mitnick used social engineering to hack people for years till he got caught.

It is impossible to relegate all infosec responsibilities to just the CIO/CTO.  Information security connects to all aspects of any organization delivering services via the Internet. Implementing ISO certification or PCI-DSS checklists or purchasing a next-generation firewall isn’t enough.

Complete executive sponsorship is critical. It can’t be a witch hunt, it must be incentivized, it must be cultivated, and it must be maintained like any corporate culture.

It is about establishing a company culture and process that cuts across all business operations from the design of your product to your vendors.  The truth of the matter is this: if it isn’t a little painful, then you probably aren’t doing enough.  Information security takes practice, training, and maintenance to implement right.  Your consumers are creating all kinds of data.  You may not be even monetizing it.  But if you improperly handle it and lose it, you surely will feel it your brand equity and the bottom line.

If you want to know more

I recommend you take a half hour to watch Morgan Marquis-Boire, talk about data contraception.  Morgan is a well-known security researcher and is the fellow responsible for protecting journalists at First Look Media. With the number of journalists murdered in 2018, I hope you understand that proper information security is also a life or death matter.

Please contact any one of us at Cypress River Advisors. We ready to help you in the C-suite come up with a strategy that works for your organization. There are a number of industry groups that are attempting to tackle the issue from different perspectives.  From the standards perspective, look to NIST (when the shut down is over), and the Open Connectivity Foundation standards here.  Samsung, Intel, Microsoft, Qualcomm, and a few others participate.  From the mobile wireless perspective, the GSMA released their IoT Security Guidelines and self-assessment.  Consider CISA or CISSP training for the management team and your staff. (I am a CISSP from the early days of the Internet.)  Both programs provide training programs for everyone from the c-suite down to your vendors.  

Cyber warfare versus Mr. Robot

If you want a sense of what cyber warfare looks like, watch how hackers take over the grid in Ukraine.

Your business is collateral damage. Warfare is not just waged with guns and bombs anymore. It is getting into critical infrastructure, key business services and making civilian life as inconvenient as possible. Your business sits on that battlefield where there are no borders.  Keeping your business out of these shenanigans means being prepared and manage risk. That means having an honest conversation about your technological and people vulnerabilities. Endpoint and cloud security are not just the responsibility of your CIO and CTO, it is a CEO and Board responsibility.

Cyberwarfare isn’t executed by script kiddies, these are asymmetric warfare tools used by nation states.

There are no magic bullets. There is no single solution. It is a constantly changing game. You need to invest in people and technology. This is how you enable defense-in-depth. It is hardware, software, processes, and people ensure you have the ability to mitigate and recover quickly.