14 December 2014

Intellectual Property: Material Risks Disclosure- Assumption of Breach...

The rules of the game may have changed across the corporate landscape.  Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:
Sony Pictures Entertainment is fighting back
The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter. 
Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy. 
In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.
The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen.  The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization.  You see, the use of sophisticated offensive cyber malware is not new.  No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

In the recent book "Countdown to Zero Day" by Kim Zetter, the point is made:
Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.
The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain.  The rules of the digital game have changed.  Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving.  How many digital files in your corporation contain proprietary Intellectual Property (IP)?  If you don't know the answer, then we recommend that you start counting.  You need to figure out what the value is, of all this data and for good reason.  At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S..  Jeffrey Carr explains here:
“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.” 
The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis.  What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in?  What U.S. companies are encouraged to relocate a manufacturing plant overseas?  Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage.  Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing.  The hackers-for-hire trade, is larger than you may know.  How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars?  Mid to high six figures.  Not likely.  7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar.  To disrupt and destroy the capabilities of your adversary.  Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident.  The magnitude and the impact of the destruction is apparent.  Are you sure you don't have an Insider Threat?  See appendix C here:
This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.