In its new format, “Weekend E-Discovery/Tech Diversions” will focus on one story, an interesting e-discovery or technology event or post (or a mix of the two).
eTERA Consulting is the sponsor of “Weekend E-Discovery/Tech Diversions”.
While eTERA Consulting provides services across the entire Electronic Discovery Reference Model, it is well known for its Opt1mum One managed services eDiscovery program. Opt1mum One offers customizable solutions that delivers 12 key business objectives including budget predictability, cost savings, data access and control, and security. For more about eTERA see the end of this post.
“Target. Home Depot. Jennifer Lawrence. Everyone gets hacked”
– from the Financial Times report of the Summit
20 September 2014 – Last week saw the first ever US-UK Global Cyber Security Innovation Summit in London. There was the announcement of competitions for companies to develop ideas to tackle cyber security threats, suggestions on how to incentive “Black Hats” to become “White Hats” (use bounties to encourage “white hat” hackers to expose vulnerabilities before they’re exploited by more malevolent forces), and lots of talk about everybody’s biggest fear … the upcoming “Wild West” as the internet of things exposes us to a greater and greater threats more than personal data theft. Like the relative ease a hacker has to take control of your pacemaker, or your home security system.
Or worse. As Donald Rumsfeld once said, it’s the unknown unknowns we have to fear most, and the cyber security threat falls distinctly into that category. Surely it’s a known unknown?
Conferences of this sort are always hard to summarize/review. There is just so much to cover. So a few personal notes on what Eric and I thought important. We’ll try to follow-up in the coming weeks with more detail:
1. The overriding issue: as the world gets more connected, hackers … whether financially or politically motivated … are becoming increasingly creative. Technology tends to outpace the efforts of legislators and security services. Significant blind spots in national cyber defenses abound. In this war, the battlefield is everywhere, bugs are weapons, and cybercriminals are arms dealers. The idea that a software bug can be worth actual dollars and cents is an odd one. Bugs are mistakes; people generally pay money to fix them. The fact that there’s a market for them is a consequence of the larger oddness of our present technological era, in which our entire world–our businesses, medical records, social lives, governments–is emigrating bit by bit out of physical reality and into the software-lined innards of computers in the form of data. A lot of people are interested in that data, for reasons both good and bad. Some of those people are spies. Some of them are criminals. Bugs are what they use to get at it all that information.
2. There was much talk about the high-profile hacking of celebrities’ private pictures from Apple’s cloud service. The incident drew much criticism of Apple’s security systems. But the opinion of experts at the conference was different: they argued the celebrities were at fault for using weak passwords, or failing to take advantage of additional security features like two-step verification. Well, it’s not a great idea to store compromising pictures of yourself online in any mode. Anyone who knows anything about security is unlikely to store sensitive information on a third-party platform, and they will probably avoid committing anything overtly compromising to pixelated form ever. But the cyber security experts say just a little bit of effort and education can significantly decrease our chances of being hacked. For example, even now, some of the most common passwords are still “123456” and “password”. So while storing extremely sensitive information on third-party platforms is never a good idea, there’s no need to withdraw into the digital dark ages due to paranoia, as long as you take basic precautions.
But getting to grips with password security is challenging and some of us probably need support to change bad habits. Training is a big issue, and there’s a lot of pressure on both governments and corporations to up their game when it comes to public awareness. This applies particularly to employees in critical industries like utilities and the emergency services.
3. Criminal hackers are responsible for by far the largest number of attacks in cyberspace and have become arguably the biggest threat facing companies. Some groups have organized themselves so thoroughly that they resemble mini-multinationals. Earlier this year a joint operation by police from a number of countries brought down the cybercrime ring behind a piece of malware called Blackshades, which had infected more than half a million computers in over 100 countries. The police found that the group was paying salaries to its staff and had hired a marketing director to tout its software to hackers. It even maintained a customer-support team. Such organised hacking empires are becoming more common.
And they are cheap! Said one commentator: it is not expensive at all to recruit 2,000 Chinese, 500 Russian or 300 Bulgarians, all of whom are excellent computer scientists. It costs far less than building a ballistic missile, a fighter jet or a nuclear reactor. Building the equipment needed for an attack and the price to “pay” for an attacker is practically zero.
And how do they do it? Teams spend their days banging on software looking for ways in: browsers, email clients, instant-messaging clients, Flash, Java, industrial control systems, anything an attacker could use as an entry point. One thing they try to maintain is a capability in every major backup software out there, because that’s one of the juiciest targets. Said a analyst: “if you get on an enterprise network, what is an administrator going to want to protect? Their important information. What do they use to protect that? Backup software.” And the professionally organized teams type up a professional-looking report along with technical documentation that explains what it does, where it lives, what it gets you, how to spot it, what versions of the software it works on, how one could mitigate it and so on. The full procedure you’d have to follow to actually trigger the bug and take advantage of it. A zero day vulnerability.
A note on that term, zero-day: it refers to a bug’s freshness. Bugs, like fish, don’t age well, and zero-day means that the bug has been public for exactly zero days, hence no one has tried to fix it yet. The term is so ubiquitous that it has gone from adjective to noun. Cyber gangs sell zero-days.
4. One of the reasons for this US-UK conference was that cybercrimes often involve multiple jurisdictions, which makes investigations complicated and time-consuming. And good cybersleuths are hard to find because the sort of people who are up to the job are also much in demand by companies, which usually offer higher pay. So governments are cooperating more and more, and sharing their human assets more and more.
5. There was much discussion on how government spies typically use the same tactics as cybercriminals so sometimes it can be hard to tell the difference between state-run spying and the private sort. When Mandiant, a cyber-security firm, published a report last year about China’s industrial-espionage activities, it labelled it “APT1”. The report claimed that Chinese hackers from Unit 61398, a Shanghai-based arm of the People’s Liberation Army, had broken into dozens of corporate networks over a number of years, paying special attention to industries such as technology and aerospace that China sees as strategic. In May America’s Justice Department indicted five Chinese hackers from the unit in absentia for attacks on the networks of some American firms and a trade union.
6. And there was much chat about Richard Danzig’s detailed report in which he likens society’s growing dependence on information technology to surviving on a diet of poisoned fruit. He says we’re taking risks with critical cyber-systems that ultimately can cause irreparable harm. He says the U.S. needs to rely less on cybersystems designed for its critical infrastructure. To get to a higher state for critical systems he says we “need to cut back in our use of cyber, mix into those systems analog, non-digital components, or incorporate human variables in the loop. We need to build in resiliency which anticipates failure because ultimately insecurity is ineradicable”.
But it is now all so, so complicated and intertwined. In a cyber-world, the frontiers between public and private sector are not identified by shareholder organization or by governance. These frontiers are in fact porous, because of service activities. Private individuals need and use health services, the army needs logistics, while tax-paying companies pay their corporate taxes to the ministry in charge of finance. Cyber-space as a rather complex combination of 3 layers running through 3 “worlds” making up a deep, connected ensemble.
First we have the physical layer (cables, optical fibres, submarine cables, radio and satellite links, switchgear… in short, the system that supports and transmits information.
Then comes the data processing layer with its computers, robots, server stations, protocols, directly usable software packages, like Windows, the robot control software, or software incorporated on board automobiles.
Lastly we find the information content and function layer, which is the most visible and most often associated with cyber-security: we are taking here about data, applications, information content, whether processed or stored, or cloud processed, covering activities like on line data and secure on line financial transactions (most purchase payments).
These layers run through horizontal and vertical worlds that, historically, have always been separated, given that the technologies involved had their inception, standards and industrial make-up set in different worlds. But now …. well, intertwined and virtually inseparable.
7. And weakness can come at the most mundane level. One example … and this has been a topic on many blogs over the year especially how it was used to hack a Washington, D.C. law firm … is the mundane example of the computer printer found in most offices. In a high-security environment, printing could be essential. But most printers contain memory chips, are network connected and can make copies of highly sensitive or top-secret documents as well as fax them. For a skilled cybercriminal, easily hacked.
8. The best line of defense? The main factor is real-time reactivity. To reduce the level of damage, you must firstly shorten the time after discovery of an attack. Probes should be installed in the system environment. High-level cyber-criminals will still get through, while others while leave faint signal of their stay. A desk position that remains “active” during non-work hours, a data stream transmission using a usual protocol. When there is a suspicion, we can go look for the intrusion and identify. Second key point here is to be selective inasmuch as you cannot protect everything all the time. The data handling systems should be segmented into non-miscible units, i.e., threat-proof, with professionally managed system access authorizations.
BY:
Gregory P. Bufithis, Esq.
Founder/CEO
Eric De Grasse
Chief Technology Officer
As always, any comments, questions, suggestions to:
Our sponsor:
eTERA Consulting, selected as the Best Data and Technology Management eDiscovery Provider by the Legal Times in 2013 provides innovative solutions to help Fortune 1000 and Am Law 200 clients overcome the high costs of managing large volumes of data, electronic discovery, content searching and operational challenges.
As a technology independent international consultancy, eTERA offers four key services fully described here:
http://www.eteraconsulting.com/capabilities/services
that encompass:
- Early Information Assessment®,
- Forens1cs One (sm),
- 1ntelligent One (sm) and
- Opt1mum One® Managed Services.
These solutions help clients to proactively identify and interpret key data early in the life cycle allowing for significant cost savings, data reduction, enhanced decision-making abilities, increased efficiencies and lower risk.
eTERA Consulting provides clients with the subject matter, technical and management expertise needed to defend against litigation, government investigations and regulatory oversight. eTERA’s diverse team of data management, technology and eDiscovery experts have managed the most complex matters of our times. eTERA Consulting has been recognized by the National Law Journal as the nation’s top managed eDiscovery service provider, litigation consulting firm, and data and technology management company.
Headquartered in Washington, DC, eTERA Consulting has served the legal vertical since 2004.
