It's Your Dream Home: Protect It and Yourself

When seat belts came onto the world scene, they cost $200 and nobody was interested.  Insurance was first ridiculed and then considered a luxury for a long time.  You can’t really live without these today, can you?

Both seat belts and insurance have become personal involvement issues in our lives today.  In fact, ABS and airbags aside we’re even looking forward to the car that brakes on its own when it “thinks” there’s going to be an accident.  And yet, the task of securing your biggest investment – your hard-earned business, your “dream home” – becomes a delegated one.  The politically incorrect elephant in the room is asking – “where is the personal involvement when your biggest investment could be wiped out in one swing”?  A single hacker attack or information security breach at your business and your list of liabilities could be pretty grim.


Who Will Come After You?

It depends…companies like TJX Companies, Inc. or BJ’s Wholesale Club, Inc. faced enforcement action from the Federal Trade Commission (FTC).  The FTC takes enforcement action against businesses where it believes that the business is, to some extent, responsible for not protecting itself well enough.  Under what pretext you ask? – For unfair or deceptive trade practices.  If yours is a bank or financial institution, the Office of the Comptroller of the Currency (OCC) is your best friend (not!).  The insurance industry needs to follow the HIPAA and HITECH regulations.  The education sector needs to follow the FERPA regulations.  If you process payment cards you have mandatory requirements to follow laid out by the PCI DSS.  The fact is, no matter what your industry, your business is currently regulated.  Even if you think you’re not regulated, you are – there are even State laws that require (read compulsory) all businesses to disclose and notify the government and the customers about a potential security breach.

In short, as an Entrepreneur, President, CEO, or a Member of the Board of Directors of a company you are liable for security breaches that lead to any disclosure of customer information.  And this liability will come in the form of an enforcement action accompanied by a monetary penalty that is proportionate to how bad the breach was.  This will then be followed by civil lawsuits including seething ex-customers who will then tell you how bad the breach really was.


How Much Are We Talking Here?

So, you’re thinking – “Ok, what’s the ballpark”?

  • ChoicePoint ended up paying $15 million.  They had a breach involving 163,000 records and going by the $2,500 penalty per violation, as per the Fair Credit Reporting Act (FCRA; amended to what is now known as the FACT Act), the initial penalty could have been as high as $407.5 million.
  • Let’s take another industry – VISA fined Fifth Third Bank $880,000 followed by a continued $100,000 per month thereafter.
  • If a charity wasn’t spared, what hope is there? – Norwood, a Jewish social care charity was fined £70,000 for a data protection breach.

Did You Notice…?

…that we haven’t even talked about the losses faced by companies themselves yet – we’ve only discussed fines, penalties, regulatory actions, and public humiliations.  So, let’s take a look –

  • Epsilon, a marketing services company, faced a “worst case scenario” loss of as much as $4 billion.  Note that this is the “worst case scenario” because nobody could really put a finger on the actual loss amount.  If you thought having a breach was bad enough, imagine probing in a board meeting about how much beating your business took and hearing – “We can’t say for sure”.  A chilling fact to add here – this breach involved hackers stealing sensitive information of only 3% of Epsilon’s customers.  Imagine that – just 3% of sensitive customer information could bring about this fate.
  • Fidelity National Information Services faced a class action lawsuit which, after settlement, ended up for them at up to $20,000 per affected person for unreimbursed identity theft losses.  Considering that 2.3 million consumer records were stolen, you can do the “potential” math.
  • Hackers, in October 2010, stole over $12 million from five banks in the U.S. and Britain.  The Zeus malware used by the hackers for this theft was available, at the time, in the black markets for around $1,200.  How’s the business model?

Beyond the obviously devastating monetary consequences, you will also deal with the fact that you can no longer look your clients and customers in the eye; you’ve lost their most valuable possessions that you once had with you – their respect and their trust.  How does one really build to last without respect and trust?


How Easily Could This Happen?

Let’s answer that in reverse.  The Zeus malware we just discussed – what if you were told that an average school kid could (and did) run Zeus, that the malware can access your company’s bank information and dry out your money while leading you to believe that your money is still in your account until it’s too late, that Zeus can fool your anti-virus software into believing that it’s an innocent little text file, that Zeus has also hit smartphones, and that even after losing your money you could still be liable if Zeus is able to use your computer to proliferate into other computers (which is a piece of cake for Zeus because that’s what it was designed to do in the first place)?  And this is just Zeus – one cyber-threat among the millions that are out there today.  Let’s discuss only a few more –

Corporate Espionage:  Companies in China are allegedly emerging as running shops that spy on U.S. companies at the request of their client’s competitors.  They spy on companies and governments around the world.  But don’t let these recent emergences fool you into believing that this is a new concept.  Industrial espionage cost global businesses more than $200 billion a year…in 2006!  So, it’s not just China that’s spying on the U.S., global businesses are spying on their competitors all the time.  The Chinese probably only offered to do it cheaper.  Think about this – when everything from financials to price quotations to billing rates to research secrets are all electronic today, it means they’re all connected – either with a wire or wirelessly.  Once it’s connected, it can be taken.  And if it can be taken, why would your competitors not want to take it?

Cyber-Mafia:  Cyber-crime was a $105 billion business way back in 2004!  This operates just like the traditional mafia – there is a boss who never gets his/her hands dirty and thus has, technically, never committed a cyber-crime.  The next in the org-chart is the underboss who works in conjunction with the consigliere (the boss’ right-hand) and essentially sells attack tools such as Trojans, Keyloggers, Formloggers, and such malware (Zeus graduated here as well in the class of 2007) in the cyber black market.  Under them come several caporegimes, each commanding his/her own network of soldiers who ultimately carry out actual attacks.  This “network of soldiers” is like an interdependent talent pool – “Oh, we’re short on a few employees for this really important project; can we borrow yours”?  The most unsettling part about the Cyber-Mafia is that the boss could be located in Russia, the underboss in Indonesia, the caporegimes can do the legwork in Venezuela, China, and Nigeria, and the soldiers could essentially dot the entire globe.  How exactly do you “go after” them?

Cyber Extortion:  So your business has been doing prolifically well in the past few years and some cyber-crime groups or individuals want to “wet their beaks” in your success.  Let’s take a look at a real-life extortion e-mail from these folks –

Hello. If you want to continue having your site operational, you must pay us 10,000 rubles monthly. Attention! Starting as of DATE your site will be a subject to a DDoS attack. Your site will remain unavailable until you pay us. The first attack will involve 2,000 bots. If you contact the companies involved in the protection of DDoS-attacks and they begin to block our bots, we will increase the number of bots to 50,000, and the protection of 50,000 bots is very, very expensive.

You will also receive several bonuses.

  • 30% discount if you request DDoS attack on your competitors/enemies. Fair market value ddos attacks a simple site is about $ 100 per night, for you it will cost only 70 $ per day.
  • If we turn to your competitors / enemies, to make an attack on your site, then we deny them.

How about that – extortion with a discount offer and an anti-competitor coupon code!  And they’ve done some pretty logical arithmetic as well.
It’s Your Dream Home…Get Involved!

When you work very hard to achieve something, a sense of entitlement sometimes colors the possibility that the achieved can actually be lost again.  You purchased your second home with money but your dream home with your perseverance, even your health at times, and definitely several years of your life.  The math has to add up…get involved…it’s your dream home.
It takes 20 years to build a reputation and five minutes to ruin it.  If you think about that, you’ll do things differently.
Warren Buffett

ERMProtect's Weekly Newsletter

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …