information security – Page 3

Target Data Breach Not A Disaster

Everybody loves a good hacking because it spells doom for the target in question. In this case the target in question is Target. We’re going to delve into the financials and see that once again a hacking is no big deal.

First we will compare Target (NYSE:TGT) (green line) to the SPDR Retail Sector ETF (NYSE:XRT) (blue line) so we can see the huge divergence between the retail sector as a whole and how poorly TGT has done since the hack. The first thing we notice is that TGT has under performed the bucket of other stocks that make up the retail sector. When picking single stocks vs. a broad ETF that is bound to happen. Next we notice that the ups and downs are about the same. This tells us that there’s no major comparative difference to the stock price during the time period when the breach was announced in September.

Next we’ll take a look at TGT during the December shopping season. Everyone in the infosec community jumped on the bandwagon that their sales were off because of the breach. Just look at that drop! It was obviously caused by the hackers, right?

Wal-Mart (NYSE:WMT) must have the same problem if we look at December – January.

When we dig into XRT for the same time period we see an almost identical wave pattern. What this suggests is that everybody in retail had a rough winter, not just TGT.

The weather is why the entire retail sector is down. Well, every sector is down because of the weather. That’s the trendy thing that CEOs are blaming the bad Q4 and Q1 results on. Unless the hackers have a bot net that can control the weather we can attribute TGT and everyone else’s ills to the Polar Vortex.

The other thing that we need to consider that huge gap up when TGT announced earnings. That’s a 7% move in a single day. They posted 81 cents per share profit vs. 79 cents consensus. Revenue came in at $21.5B vs. consensus of $21.45B. In other words, Wall St. already accounted for the potential downside and priced it in. The impact was rather minor considering that they had incurred $61M in expenses but were covered by a $44M insurance policy for a net loss due to the breach of $17M. Yes, the impact is minor. We can tell this since the IV% in TGT is currently 25% while the IV% of XRT is 51%. There is a lot more concern over downside in the retail sector as a whole than there is in TGT.

Will consumer behavior change as a result of incidents like this? Unlikely. TGT made a brilliant move by having the We’re Sorry Save 10% This Saturday Sale the week of the breach. Many savvy consumers went shopping, your Dearest Leader included. Who can say no to a 10% off sale? Everyone I know walked away with a deal and no stolen numbers. Taking a gamble to get a deal is what you have to do. You have to buy in before they do. You have to buy the dip.

The thing security professionals and the writers at all the trade publications need to understand about consumer behavior is a sale is something that everyone in a bad economy will chase after. Most people have more than one credit card. They can always use a different card until a replacement arrives if the numbers are compromised. Consumers are not legally responsible for the bill if fraud does occur. That makes it the bank’s problem, and most people don’t care about the banks since that mess some of them caused with the housing market. What exactly is the tragedy that all of the industry publications are writing about? Either way the breach is the least of the bank’s worries, especially if your name is Citi.

Once again we have another data breach that causes a company to beat EPS, while life for everyone goes on. There is some economic impact, but it’s spread among insurance companies, card processors, issuing banks and retailers. The risk is shared among the sellers and the buyers have no risk at all. Everyone on Wall St. knows that these kind of incidents are nothing compared to disasters such as the Polar Vortex or a large oil spill in the Gulf of Mexico. Until the magnitude gets to be that large these events will be a nuisance rather than a disaster.

Where Does EMC Go After NSA Revelations

EMC seems to have quite a problem on its hands now that rumors have circulated that their RSA division has been accepting payoff from the NSA. We have seen shareholder lawsuits against IBM for not disclosing business risks involved with losing business internationally as a result of working with the NSA. Related risks for EMC include failure to disclose NSA involvement to shareholders in their regular SEC filings, loss of business internationally and domestically from the customer backlash, and regular reaming from the security community at conferences and other venues.

The weekly chart of EMC shows support/resistance below 26. A play in the direction of the break down/out could be available. This is a wait and see trade where we need confirmation before entering.

TGT Loses Payment Card Info Resulting In A Dip

After the breaking news over at KrebsOnSecurity that Target (NYSE:TGT) has been impacted by a payment card breach it is time once again to look for a dip to buy. The low point at approximately $61 matches up with some decent support and resistance levels from 1Q13. TGT is riskier than other sectors due to the retail environment at this time of year. Any attempt to buy the dip should be done close to $61 with a very tight stop. Any general bad news from the retail sector could blow this trade up. Low trading volumes from the financial industry taking vacation could also cause large price swings in either direction. Short Put Verticals are not the best for this, though an ATM Long Call Vertical will give about 50/50 odds over the next week.

Update: We decided to go with a weekly 62/63 Long Call Vertical. Closing out one day before expiration gets about a net 18.00 per contract.

Refusing To Hire Black Hats May Be Risky And Costly

The topic of hiring reformed Black Hats continues to be a matter of debate. Some believe that ‘You’re shooting yourself in the foot if you’re not willing to hire a hacker’ while others believe such an idea is preposterous because it is not possible to reform any person who has been convicted. Others may believe it simply doesn’t look good to hire convicted felons and dismiss the thought. Unfortunately it isn’t possible to do that in the US and the continuing attitude toward convicted felons must change.

On April 25, 2012 the Equal Employment Opportunity Commission (EEOC) released new enforcement guidance regarding the Consideration of Arrest and Conviction Records In Employment Decisions. In summary the enforcement guidance prohibits blanket policies that prohibit hiring convicted felons. Security professionals should speak to HR, Legal, and other stakeholders to determine the proper processes for applicants. If two candidates with similar qualifications apply, an employer can not simply choose to not hire the felon.

Employers must now take a variety of factors into consideration such as age at time of conviction, employment history, number of offenses for which there is a conviction, rehabilitation efforts, and other criteria. This creates a layer of complexity in screening applicants. Businesses are starting to reconsider the importance, and more importantly, the liability associated with pre-employment background screening. Risk averse organizations may choose to forego criminal background screening since one defense against a discrimination claim is that the applicant’s background was never checked. The risk of an applicant alleging discrimination is also why many legal and compliance professionals recommend against social media reviews. If you do not know an applicant’s religious or other affiliation, it is easier to defend against a discrimination claim.

One aspect to consider is whether or not the candidate is a good fit for the organization. Personality and demonstrable skills are becoming more important than degrees and other factors. Should we consider arrest and conviction history among those other factors? Security professionals are conditioned to believe that everyone must be squeaky clean. In terms of stakeholder management this attitude does not always bring shareholder value and may be at odds with the strategic direction of the business.

The organization’s Corporate Social Responsibility (CSR) policy or Compliance & Ethics Program may require that the organization hire convicted felons as a means of helping them rejoin society. Such policies can also help reduce recidivism. The CFO may also become involved in the discussion as well. The US Department Of Labor Work Opportunity Tax Credit can save the company $1600-$9600 depending on the employee hired. Maximizing tax efficiency is one thing that finance and accounting professionals do. There can be a financial case for hiring convicted felons, especially in the information security discipline.

The topic of hiring reformed Black Hats is controversial, but when the complex legal requirements are considered the possibility of government sanctions make the idea of hiring Black Hats worth considering. Information Security professionals can take part in the strategic direction of an organization by working with HR, Compliance & Ethics, and Finance to enhance the organization’s overall goals. We have attempted to end discrimination based on a person’s skin color. The color of the hat they wear is something we should also add to the list.

“It doesn’t matter whether it’s a white cat or a black, I think; a cat that catches mice is a good cat.” — Comrade Deng Xiaoping

Booz Allen Still A Good Investment

Accenture is interested in buying Booz & Co., a spin out from Booz Allen Hamilton. Someone became a little jumpy and decided to buy shares of Booz Allen Hamilton thinking they were getting access to Booz & Co. For a company that has leaks there is enough interest to continue our hypothesis that hacking or leaking does not value of a company.

Leaking Data Does Not Hurt Value

At first glance it looked like $BAH would never get another government contract. But now $BAH is up 30% from when it was revealed that Edward Snowden worked for them. They are unlikely to be “leaked out of business” by Snowden’s actions. This adds to the historical evidence that companies do not go out of business if IP is leaked or stolen. It appears that the cliche of any publicity is good publicity is at work.

How To Opt Out Of Prism

Business Insider has a nice slideshow titled How To Opt Out Of Prism. Most of the usual applications and networks are listed. Piwik stands out as a self-hosted replacement for Google Analytics.

Improve Security and Efficiency By Going Cloud

Microsoft’s cloud trust study indicates cloud security is a matter of perception. A recent Trustworthy Computing survey indicates that small businesses that try cloud services seem to appreciate what they have to offer. This is no surprise since they are in business to make money, not manage infrastructure. Outsourcing is an opportunity cost decision. In almost all cases the impact to the business cash flow statement will override any concerns regarding outsourcing vs. insourcing. Small business survival depends on the adoption of LEAN principles. Reducing waste reduces cost.

94 percent of SMBs have experienced security benefits in the cloud that they didn’t previously have with their on-premises service, such as up-to-date systems, up-to date antivirus protection and spam email management.

91 percent of SMBs said the security of their organization had been positively impacted as a result of cloud adoption

Many non-technical SMBs without full time IT staff are going to experience benefit from cloud services. In order to get the full benefit of security monitoring, it has to be a dedicated 24/7 function. An 8-5 business that doesn’t generate revenue for the other 16 hours is sinking money in performing this function themselves. From a financial point of view it almost never make sense to ramp up a 24/7 IT shop in these circumstances.

While the survey discusses businesses with 25-499 PCs there is another demographic that cloud services can provide benefit to. Studies indicate that up to 50% of the US workforce will be self-employed by 2020. The group that stands to benefit most from cloud services is the 1-5 person company where everyone involved is an owner/operator and all other work is subcontracted. Cloud services make the most sense where the owners are the salespeople and unrelated people are subcontractors. It doesn’t matter if you’re selling IT services or office cleaning services, you are already taking on risk from subcontracting. Let’s pretend you are selling IT services and you find a few generic MCSE’s to do the hands on work that are 1099 contractors or B2B such as LLC to LLC. If your entire business is built around finding these freelancers to do the work, you are already outsourcing. What possible reason could you have for wanting to insource your IT infrastructure or personnel?

Security professionals that only look at security may survive in Enterprise IT. In SMBs every employee is not an IT professional, an accounting professional, etc. They are stakeholders. The ability to diversify your portfolio of skills, roles, and personality traits is what will make you a winning team member and a winning investor.

Leaking Is Not As Bad As Hacking

Booz Allen Hamilton (BAH) is getting slammed according to Business Insider. BAH was down 5% at most according to some news outlets. Buyers quickly stepped in and propped up the stock and it’s hovering at around -3.5% on the day.

BAH has lost 5% while EMC and Lockheed lost 10% before buyers stepped in. We can conclude that leaking is only half as bad as being hacked. This should be a lesson to all Public Relations teams. Use the term leak, not data breach.

Entertainment Industry Wants Rootkts, Ransomware, and More

In an interesting piece at Boing Boing, the entertainment industry wants a piece of the APT action. The report from the Commission on the Theft of American Intellectual Property, coincidentally copyright 2013 by The National Bureau of Asian Research, proposes taking rights management software to the next level. Not only can one restrict who can open certain files, but now one can scan the hard drive to determine if there is additional IP that has not been paid for. Not only that, it would legalize password protecting ALL the files on the computer much like ransomware until someone could verify that the law was not being broken.

The real prize is is in Chapter 13 page 81:

Recommendation:
Reconcile necessary changes in the law with a changing technical environment.
When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.

The entertainment industry is opening up an extremely large can of worms. First, let us consider that they manage to lobby to have the entertainment industry only exempt from prosecution in these instances. Our favorite article at Forbes suggests that 50% of the workforce will be freelancers or entrepreneurs by 2020. A lot of thought doesn’t have to go into discovering how to use this sort of lobbying against the industry that created it. If 50% of the workforce works for one-person corporations, it is very easy to create an offshore subsidiary as a separate legal entity with separate bank accounts for the purposes of “entertainment licensing”.

Such nonsense of invading common citizens hard drives would be stopped by mutually assured destruction. All of these offshore subsidiaries could start contracting Hacking as a Service (Haas) at other offshore companies to install ransomware into these mega-corporations as part of intellectual property enforcement. If the subsidiary collecting royalties is off shore along with the HaaS provider, it makes it very difficult for the entertainment industry to do anything but pay a licensing fee.

As traders we can follow these patterns and attempt to capitalize on 10-20% movements from short selling the companies getting shut down. History has shown us that having intruders in your network does not affect stock value to a large degree; however, adding companies to a watch list for ease of reference does not hurt.

While the entertainment industry is proposing outrageous solutions to a problem they have, it is still possible for other professionals to make money if these solutions become law. These professions stand to benefit:

Lawyers because no mater what happens, lawyers always win.
Infosec professionals, both on the offense and defense side
Management Consultants who may setup subsidiary companies for the purpose of launching both legal (see Lawyers above) and virtual attacks
SMBs who may manage to obtain licensing fees for their “one off” ebook or song being on the wrong network at the wrong time
Day Traders who can capitalize on a single day news event where a company’s operating capability is shut down.

The measures proposed by the entertainment industry may never pass. The industry should hope so. In less than 5 minutes we have devised a way to create off shore companies bent on collecting licensing fees for misappropriated intellectual property, in a manner that may be in full compliance with the law, and untouchable depending on what country they are located in. That is something the entertainment industry should understand is possible and relatively easy to setup with today’s technology.