A new world of discussion relating to digital information has emerged among legal commentators: cybersecurity. The legal news is replete with stories chronicling allegations of hackers from China, cyber-sabotage aimed at Iran’s nuclear program, spyware installed on rental computers, continuing attacks on U.S. banks and large commercial institutions, and the President’s executive order on enhanced cybersecurity services program.
The world of cybersecurity has surpassed the exclusive purview of information technology and security departments, and is on the radar screens of legal departments to assist in assessing and managing the risks of information security breaches. This is part one of a three-part series on cybersecurity for legal.
Legal departments need to understand the basic concepts and lingo of information security in order to manage and respond to the legal risks of cyber breaches. The following discussion is a basic primer on some key cybersecurity concepts for in-house attorneys.
“Viruses, Malware, and APTs… Oh, My!”
The first question perhaps is: What is this cybersecurity hubbub about, and how is it any different than the threat of computer viruses and hacks that we’ve known since the beginning of computers? We have long known of the threat of a computer virus, which is a software program or piece of code capable of reproducing itself that can cause harm to files or other programs.
A more generic term is malware, which is short for “malicious” or “malevolent” software, which is software used or created to disrupt computer operations, gather sensitive information or gain access to computer systems. Malware includes viruses, as well as a variety of other Pandora’s box manifestations, such as ransomeware, worms, Trojan horses, rootkits, keyloggers, spyware, and malicious Browser Helper Objects (BHOs). (A more comprehensive lexicon of terms is available here (PDF download, no registration is required.)
The new challenge is that cyber attacks have grown exponentially in frequency and variety. While standard industry cyber defenses have evolved, attacks are increasingly sophisticated and good at exposing new and unforeseen security gaps in an ever-changing technology environment. Information security departments often need to broaden their analysis to highly coordinated and sophisticated groups of attacks such as advanced persistent threats (APTs) which are longer-term patterns of hacking attacks aimed at accessing sensitive information.
The Ponemon Institute conducts an annual Cost of Cybercrime Study, which last year found that the 56 public and private organizations in its sample experienced 102 successful attacks per week and 1.8 successful attacks per company per week – a 42 percent increase from the previous year’s study. The average annualized cost of responding to these attacks was $8.9 million per year. Despite advances in technology geared to preventing these attacks, the conventional wisdom in responding to cyber attacks is not focusing on if a breach will occur, but when.
How are information security departments addressing these threats (and why are they not enough)?
A second basic question is: What is the current state-of-the-art for information security, and what is missing? Most organizations have a series of layered security defenses.
1. Firewall: The first line of defense that controls incoming and outgoing network traffic by analyzing data packets and determining whether they should be allowed through the network based upon a pre-determined rule set. It builds a bridge between an internal network and an external network (such as the Internet) after establishing that the external network is secure and trusted. Firewalls are designed to block unauthorized access to an organization’s network.
2. Intrusion prevention systems (IPS), antivirus software and spam filtering: IPSes are network security appliances (dedicated computers that plug into a network) that monitor networks and systems for malicious activities. An IPS will identify malicious activity, log information about the activity, attempt to stop the activity and report it. Antivirus software installed on computers or networks also works to prevent, detect and remove malware. IPS and antivirus software work to block known attack methods and malware. Spam email filtering is layered within these systems to sort messages that can be delivered unchanged to a user’s mailbox instead of being re-directed elsewhere, like “junk mail,” or blocked messages would be.
Data Loss Prevention (DLP) works to detect and prevent potential data breaches by monitoring, detecting and blocking sensitive data. An example is software designed to search for personally identifiable information that’s on computers or that is traversing the network, such as through email.
Other tools include malware protection or anti-malware software, which is designed to detect and remove malware that has already installed onto a computer, detect anomalies in network traffic indicative of a threat and block malicious communications.
3. Configuration Management: Configuration management is the management of security features and assurance through control of changes made to software, hardware and other aspects of the IT infrastructure. The process of gathering, analyzing and presenting information from network and security devices is accomplished through Security Information and Event Management (SIEM) software, which consolidates the security alerts generated by network and hardware applications.
Within this layer is also vulnerability assessment, which is a process of identifying, quantifying and prioritizing the vulnerabilities in the IT infrastructure. A vulnerability assessment product is designed to scan machines on the network to attempt to identify those that are susceptible to a known threat.
The security workflow encompasses three general phases. The first is detection, which includes firewalls, IPSes and data loss prevention. The second is incident management, and finally, incident response, which deals with the containment and investigation of malware, and the recovery from the attack.
Today’s Big Challenge: Conducting “Triage” on the Storm of Alerts
Today’s incident response challenge has three strands:
- The high volume of security alerts generated on a daily basis
- The proliferation of a myriad of alerting tools attempting to keep tabs on the known and unknown threats
- The increasing organizational risk of compromising confidential or privileged data.
The difficulty in playing cyber defense is that the good guys have to be right every time in blocking and countering unauthorized breaches, while the bad guys only have to be right once in finding and exploiting a breach. Moreover, while most security solutions are focused on finding known threats, a growing area of cyber threats has long been zero-day attacks, which exploits a previously unknown vulnerability in computer applications and launches an attack on “day zero” of the awareness of the vulnerability. Developers have zero days to address and patch the vulnerability.
This introduction to cyber-vernacular gives you a working lexicon for working productively with your chief information security officer and chief technology officer. We have much more to learn on the technical issues, but having a grasp of these basic concepts provides a foundation for the conversations needed to understand and coordinate an intelligent response to today’s cyber risks.
Don’t fear the rhetoric: engage!
(Thanks to my colleagues at Guidance Software for technical feedback on this article—Mel Pless, Senior Director, Solutions Consulting, Jamey Tubbs, Director, Professional Services and Training, and Anthony Di Bello, Strategic Partnerships Manager.)