Book Image

The Cybersecurity Playbook for Modern Enterprises

By : Jeremy Wittkop
Book Image

The Cybersecurity Playbook for Modern Enterprises

By: Jeremy Wittkop

Overview of this book

Security is everyone's responsibility and for any organization, the focus should be to educate their employees about the different types of security attacks and how to ensure that security is not compromised. This cybersecurity book starts by defining the modern security and regulatory landscape, helping you understand the challenges related to human behavior and how attacks take place. You'll then see how to build effective cybersecurity awareness and modern information security programs. Once you've learned about the challenges in securing a modern enterprise, the book will take you through solutions or alternative approaches to overcome those issues and explain the importance of technologies such as cloud access security brokers, identity and access management solutions, and endpoint security platforms. As you advance, you'll discover how automation plays an important role in solving some key challenges and controlling long-term costs while building a maturing program. Toward the end, you'll also find tips and tricks to keep yourself and your loved ones safe from an increasingly dangerous digital world. By the end of this book, you'll have gained a holistic understanding of cybersecurity and how it evolves to meet the challenges of today and tomorrow.
Table of Contents (15 chapters)
1
Section 1 – Modern Security Challenges
5
Section 2 – Building an Effective Program
9
Section 3 – Solutions to Common Problems

The macro-economic cost of cybercrime

The impacts of cybercrime on the global economy are significant. The impact of ransomware on infrastructure has been highlighted by the 2021 Colonial Pipeline ransomware attack, which is detailed in Chapter 3, Anatomy of an Attack. Colonial Pipeline supplied gasoline for large portions of the United States. With the pipeline offline, several states experienced gas shortages and gas prices rose significantly. The Equifax breach involved the personal information of millions of people, which contributes to the ongoing identity theft problem in industrialized nations. The American Semiconductor case, which began in 2011 and did not reach resolution until 2019, involved an existential threat to an American company that barely survived as a shell of its former self.

Each of these instances highlights the importance of cybersecurity in the modern world. Every organization, and even every person, has an interest and a responsibility in protecting their sensitive information.

While there are many direct and ancillary economic impacts of cybercrime, here are three major categories we should highlight. First, there is a global cost to identity theft. The implications for economies are significant, but behind the numbers are thousands of stories of individuals and families who have been hurt. Second, intellectual property forms the bedrock of Western economies. It could be said that all industrialized nations depend on intellectual property for prosperity; Western economies rely on personal property rights to power the economy. Finally, it is easy to lose sight of the damage done to individual companies and the employees who rely on them for their livelihood. When we look at the three major impacts of cybercrime, it is clear the damages can be devastating.

The global cost of identity theft

Identity theft has become a major problem globally. This problem impacts not only individuals but also entire economies. Personally Identifiable Information (PII) is information about an individual that can identify them from others and also could be used to impersonate them. National identifiers such as social security numbers, social insurance numbers, or other government-issued identifiers are commonly associated with PII, but other factors, such as names, phone numbers, and addresses, in combination can also be damaging. There is a well-established marketplace to buy stolen personal information on the dark web.

According to a CNBC article, "identity fraud cost Americans a total of about $56 billion" (Leonhardt, 2021) in 2020. Children are often victims and identity fraud costs generally fall directly on the consumer. As a result, a group of identity protection providers has emerged to help customers protect their identity, and if it is stolen, to pay legal fees to repair the damage. When companies lose large amounts of PII, the remedy is often to provide identity protection services for the impacted consumers.

Simply restoring an identity is not enough though. Many Western economies are consumer-driven, and if consumers are losing money to identity theft, they are not spending that money elsewhere in the economy. Therefore, the money lost to identity theft can be seen as economic leakage, causing downstream harm to businesses and individuals that are not victims of identity theft. In the United States, more than 1 in 100 people were victims of identity theft in 2020. The data privacy regulations discussed later in this chapter are the direct response from governments to this growing problem.

Intellectual property and Western economies

Most industrialized nations are built on the idea of personal property rights. Many times, those rights are dependent on the protection of intellectual property rights. It could be said, then, that the foundation of the global economy, with notable exceptions such as China, is the exclusivity of information and the ability for a person or a company to benefit economically from their ideas and discoveries. Theft of intellectual property threatens that foundation and if it cannot be protected, makes it less likely companies will invest in creating new inventions, and therefore the economy will not grow as quickly as it otherwise could.

To prevent this from happening, Western economies have developed intellectual property protections that encourage discovery and offer exclusive rights for a set period of time for the person or entity that made the discovery or created the work. Intellectual property comes in many forms, with varying time limits as well as degrees of protection. In some cases, an organization could protect intellectual property in different ways. For example, a secret recipe could be protected by a patent, which would give it strong legal protections for a set period of time, after which it would go into the public domain, and anyone could see the recipe and use it for themselves. Alternatively, the company could choose to classify it as a trade secret, which has limited legal protection but no requirement for disclosure. As a result, most companies who make recipes, outside the pharmaceutical industry, use trade secrets. However, using trade secrets requires a higher level of protection to keep it a secret. Protecting intellectual property appropriately requires an understanding of the property type and the legal protections offered. Let's have a look at them.

Copyrights

Copyrights are designed to protect works such as books, movies, and music. In the United States, a copyright must be registered with the Library of Congress for legal action to be taken, but copyright is granted as soon as a work is fixed in a tangible form, meaning committed to a hard drive, a piece of paper, or otherwise taken from an idea stage to a stage where it exists in the physical world.

Copyright grants five exclusive rights to an owner, which can then be licensed to others for the owner to earn income from their idea. Those five rights are the right to reproduce the work, publish the work, perform the work, display the work, or make derivatives from the work. Copyrights are normally long lasting, designed to last more than the lifetime of the person who created the work, but eventually, works do go into the public domain where others can use the work without paying the owner. Since copyrights are designed to protect the rights of the owner of a public work, there are few information security implications for protecting copyrights.

Patents

Patents are designed to give the owner an exclusive right to an invention for a relatively short period of time. After that time, the invention goes into the public domain and anyone can use it. The easiest example to understand is with medication. To incentivize pharmaceutical companies to invest capital in researching treatments and drugs, they are granted a period of time, generally between 10 and 20 years, where they are the only company that can sell that treatment or drug, and, within reason, they can charge whatever price they would like for it. When that time expires, other companies can access the formula and produce generic versions of the drug. When the patent for Tylenol expired, for example, anyone could use the formula to make generic acetaminophen, which is the same chemical formula as Tylenol; they just couldn't call it Tylenol because the brand name was protected by a trademark.

In the United States, patents must be filed with the United States Patent and Trademark Office, which is a lengthy process. There is a period of time between when something is being discovered and tested and when it is filed for patent protection, and during that time, that idea or invention is very sensitive and should be protected. Most countries around the world that offer patent protection have a similar patent office that allows inventors to register their inventions and apply for patent protection. Also, most countries that recognize patents will also enforce patents originating in other countries to encourage trade.

Trade secrets

Trade secrets offer limited legal protection but have the advantage of never going into the public domain. In the beginning, trade secrets were protected only to the extent that the organization could keep them a secret. In 2016, the Defend Trade Secrets Act was passed in the United States, which provided a forum for victims of trade secret theft to bring lawsuits against those who have stolen or otherwise misappropriated their trade secrets if the secrets were intended to be used in interstate or international commerce. In the Act, a trade secret is defined as "all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing." (American Bar Association, 2016). There is a major caveat though, in the fact that the victim must prove they took reasonable measures to keep the information secret.

Therefore, if a company is a victim of trade secret theft and would like to bring a case, they must show what security measures they had in place to defend the secret. As a result, protecting trade secrets has become one of the most important parts of an information security program with respect to intellectual property protection. Since this is a young law, there is little precedent with respect to what qualifies as a reasonable measure. The most high-profile case so far concerns Uber and Waymo.

Example Case: Uber versus Waymo

In January 2016, a Google engineer named Anthony Levandowski left Google's self-driving car division, known as Waymo, to start his own self-driving truck business, named Otto. In August of the same year, Otto was acquired by Uber. Shortly thereafter, Waymo filed a lawsuit against Uber for trade secret theft. In 2018, 5 days into the lawsuit's trial phase, a surprise settlement was reached for approximately $250 million in Uber stock. Mr. Levandowski was eventually forced to declare bankruptcy and was sentenced to 18 months in prison for trade secret theft.

The story is not as simple as an employee leaving for another firm and taking information with him. It appears that the hiring of Mr. Levandowski was planned by then Uber CEO Travis Kalanick. "'I wanted to hire Anthony [Levandowski], and he wanted to start a company,' Kalanick said on Tuesday. 'So, I tried to come up with a situation where he could feel like he started a company, and I could feel like I hired him.'"(Larson, 2018). The question then became, was Uber part of Mr. Levandowski's plot to steal trade secrets from Waymo? Did Travis Kalanick have advanced knowledge of the theft? The case was among the highest-profile trade secret theft cases in history.

This is a classic insider threat case. Anthony Levandowski was a very talented and well-respected engineer. He was trusted by his friends and colleagues at Google, who he ultimately betrayed. When he was hired, it is unlikely he intended to cause harm to Google. At some point, his motivation changed and he became a malicious insider. The civil lawsuit between Waymo and Uber was settled, and the criminal case against Mr. Levandowski ended in a plea agreement, so we may never know exactly how Google knew he stole documents on his way out. According to an article about the case published on The Verge's website, "Levandowski stole 14,000 documents from Google containing proprietary information about its self-driving cars and downloaded them on to his personal laptop." (Hawkins, 2019). While the article doesn't explicitly state what evidence Google had to support its claim, the fact they knew the number of documents and the method of exfiltration tells us two important things. First, they had a system in place to monitor transfers from a repository where sensitive information was hosted, likely in the cloud, and second, they had their system configured to identify the difference between sensitive information and commodity information. In short, Google had an effective information protection program. If they didn't, Uber would likely be using the information to gain a competitive advantage over Google, and Mr. Levandowski would be a very rich, free man.

Defending trade secrets is difficult, but it is important. Many organizations dedicate significant capital to research and development. If the output of that research is not properly protected, an organization can fail to realize the full value of their discoveries. While Google had to spend money to defend their trade secrets in court, ultimately, they were successful in gaining both financial and injunctive relief and are free to compete in the marketplace without a primary competitor having the ability to compete against them unfairly. Now that you are aware of how trade secrets function, let's move on to trademarks.

Trademarks

Trademarks are a type of intellectual property designed to allow the provider of a good or service to distinguish that good or service from others. The intention of a trademark is to avoid customer confusion. The protection prevents someone from creating a product to compete with a well-known brand and making the name of the product and the look of the packaging so similar that the customer cannot tell the difference. Trademarks are designed to be as widely publicized as possible, so there is little need for an information security program to focus on protecting them.

Now that you have had a brief introduction to intellectual property, we should move on to the impact of cybercrime. Throughout the book, there are example cases that are designed to highlight specific concepts related to the topics we are covering. It is easy to look into the details of a case and forget about the real people behind the cases.

Micro-level impacts and responses to cybercrime

In addition to the macro-economic implications, the stories behind the headlines involve real companies and real people who are being hurt. We will examine some select high-profile example cases throughout the book to discover what happened, how similar attacks could be prevented, and just how damaging the attack was for those involved. It should be noted that many of these cases have been studied enough where root causes have been identified. While there are lessons to glean from others, I caution you against simply trying to build detection and prevention mechanisms for these specific attacks. Many security systems have tried such approaches in the past, with poor results. Trying to guess how an attacker will attack you and building an alarm to identify that specific attack pattern is ineffective. It is far more effective to identify what should happen inside your environment and build systems and processes to detect and respond to anomalies.

Each of the cases is an example of the devastating impacts of cybercrime for someone. As you read the cases, please try not to focus only on what happened technically and how these types of incidents can be prevented tactically; try to also consider the impact of the incident on the victim, the company, and the attacker. In some cases, the case seems to end well for the attacker. In many cases, it does not.

The impacts of cybercrime can be devastating, but the benefit to the attacker still outweighs the cost to individual companies. In many cases, the macro-economic damage far outweighs the direct cost to the company that failed to protect information, especially when dealing with PII. As a result, governments have introduced regulations in an effort to compel companies to protect information that has been entrusted to them.