Refusing To Hire Black Hats May Be Risky And Costly

The topic of hiring reformed Black Hats continues to be a matter of debate.  Some believe that ‘You’re shooting yourself in the foot if you’re not willing to hire a hacker’ while others believe such an idea is preposterous because it is not possible to reform any person who has been convicted.  Others may believe it simply doesn’t look good to hire convicted felons and dismiss the thought.  Unfortunately it isn’t possible to do that in the US and the continuing attitude toward convicted felons must change.

On April 25, 2012 the Equal Employment Opportunity Commission (EEOC) released new enforcement guidance regarding the Consideration of Arrest and Conviction Records In Employment Decisions.  In summary the enforcement guidance prohibits blanket policies that prohibit hiring convicted felons.    Security professionals should speak to HR, Legal, and other stakeholders to determine the proper processes for applicants.  If two candidates with similar qualifications apply, an employer can not simply choose to not hire the felon.

Employers must now take a variety of factors into consideration such as age at time of conviction, employment history, number of offenses for which there is a conviction, rehabilitation efforts, and other criteria.  This creates a layer of complexity in screening applicants. Businesses are starting to reconsider the importance, and more importantly, the liability associated with pre-employment background screening.  Risk averse organizations may choose to forego criminal background screening since one defense against a discrimination claim is that the applicant’s background was never checked.  The risk of an applicant alleging discrimination is also why many legal and compliance professionals recommend against social media reviews.  If you do not know an applicant’s religious or other affiliation, it is easier to defend against a discrimination claim.

One aspect to consider is whether or not the candidate is a good fit for the organization.  Personality and demonstrable skills are becoming more important than degrees and other factors.  Should we consider arrest and conviction history among those other factors?  Security professionals are conditioned to believe that everyone must be squeaky clean.  In terms of stakeholder management this attitude does not always bring shareholder value and may be at odds with the strategic direction of the business.

The organization’s Corporate Social Responsibility (CSR) policy or Compliance & Ethics Program may require that the organization hire convicted felons as a means of helping them rejoin society.  Such policies can also help reduce recidivism.  The CFO may also become involved in the discussion as well.  The US Department Of Labor  Work Opportunity Tax Credit can save the company $1600-$9600 depending on the employee hired.  Maximizing tax efficiency is one thing that finance and accounting professionals do.  There can be a financial case for hiring convicted felons, especially in the information security discipline.

The topic of hiring reformed Black Hats is controversial, but when the complex legal requirements are considered the possibility of government sanctions make the idea of hiring Black Hats worth considering.  Information Security professionals can take part in the strategic direction of an organization by working with HR, Compliance & Ethics, and Finance to enhance the organization’s overall goals.  We have attempted to end discrimination based on a person’s skin color.  The color of the hat they wear is something we should also add to the list.

“It doesn’t matter whether it’s a white cat or a black, I think; a cat that catches mice is a good cat.” — Comrade Deng Xiaoping

Entertainment Industry Wants Rootkts, Ransomware, and More

In an interesting piece at Boing Boing, the entertainment industry wants a piece of the APT action.  The report from the Commission on the Theft of American Intellectual Property, coincidentally copyright 2013 by The National Bureau of Asian Research, proposes taking rights management software to the next level.  Not only can one restrict who can open certain files, but now one can scan the hard drive to determine if there is additional IP that has not been paid for.  Not only that, it would legalize password protecting ALL the files on the computer much like ransomware until someone could verify that the law was not being broken.

The real prize is is in Chapter 13 page 81:

Recommendation:
Reconcile necessary changes in the law with a changing technical environment.
When theft of valuable information, including intellectual property, occurs at network speed, sometimes merely containing a situation until law enforcement can become involved is not an entirely satisfactory course of action. While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized
network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the  hacker’s own computer or network.

The entertainment industry is opening up an extremely large can of worms.  First, let us consider that they manage to lobby to have the entertainment industry only exempt from prosecution in these instances.  Our favorite article at Forbes suggests that 50% of the workforce will be freelancers or entrepreneurs by 2020.  A lot of thought doesn’t have to go into discovering how to use this sort of lobbying against the industry that created it.  If 50% of the workforce works for one-person corporations, it is very easy to create an offshore subsidiary as a separate legal entity with separate bank accounts for the purposes of “entertainment licensing”.  

Such nonsense of invading common citizens hard drives would be stopped by mutually Spartacusassured destruction.  All of these offshore subsidiaries could start contracting Hacking as a Service (Haas) at other offshore companies to install ransomware into these mega-corporations as part of intellectual property enforcement.  If the subsidiary collecting royalties is off shore along with the HaaS provider, it makes it very difficult for the entertainment industry to do anything but pay a licensing fee. 

As traders we can follow these patterns and attempt to capitalize on 10-20% movements from short selling the companies getting shut down.  History has shown us that having intruders in your network does not affect stock value to a large degree; however, adding companies to a watch list for ease of reference does not hurt.

While the entertainment industry is proposing outrageous solutions to a problem they have, it is still possible for other professionals to make money if these solutions become law.  These professions stand to benefit:

  • Lawyers  because no mater what happens, lawyers always win.
  • Infosec professionals, both on the offense and defense side
  • Management Consultants who may setup subsidiary companies for the purpose of launching both legal (see Lawyers above) and virtual attacks
  • SMBs who may manage to obtain licensing fees for their “one off” ebook or song being on the wrong network at the wrong time
  • Day Traders who can capitalize on a single day news event where a company’s operating capability is shut down.

The measures proposed by the entertainment industry may never pass.  The industry should hope so.  In less than 5 minutes we have devised a way to create off shore companies bent on collecting licensing fees for misappropriated intellectual property, in a manner that may be in full compliance with the law, and untouchable depending on what country they are located in.  That is something the entertainment industry should understand is possible and relatively easy to setup with today’s technology.

Security and Privacy are Dead and Nobody Cares

 

A casual observation of investor confidence after an infosec breach.

 

One of the issues that security and privacy professionals discuss with our clients is the potential loss of customer confidence if confidential information is compromised.  The responses this concern vary across industry and business size. The controls implemented would vary based on the information collected, the tolerance for risk, and the client’s ability  implement cost effective controls.  Since the downturn in the economy many companies have been scaling back expenditures on security controls and accepting more risk.  This involves taking a more compliance centric view and making expenditures only on technology and personnel to comply with the law or self-regulating industry standards, rather than a risk centric view.  When accepting more risk it is reasonable to assume that the probability of a security incident will increase and/or the impact/remediation will be more costly to clean up.  Does this present any concern for the public?

Several technology executives have implied privacy is dead get over it.  With the proliferation of social tools such as Facebook, Twitter, Foursquare, Gowalla, and Google Latitude, the general public has no problem with letting the their “friends” or the whole internet know where they are and what they are doing.  Many people, especially the younger generations don’t see it as a big deal to broadcast that they aren’t home or their most intimate and politically incorrect thoughts.  Granted GenY is focusing more buying experiences rather than material possessions, so the impact burglary may be less for GenY, but that is another topic we may discuss in detail under a personal finance tag in the future.  The silent death of privacy across generations may also be foretelling the the death of security from the viewpoint of the public.

As company executives accept more security risk, the consumer public has also been accepting more risk or relying on risk transference to protect themselves.  Combine apathy with risk transference and you have a big stiff cocktail of SNMP (Someone’s -Not Mine- Problem).  ATM skimmers are all over the news, and among the GenX and younger crowd there is relatively little concern when compared to older individuals. That is derived from a very small sample so take it as you will.  Why no concern?  Most credit cards have zero liability for the consumer and fraudulent charges can be corrected immediately along with a new credit card sent overnight.  To the consumer this is a minor irritation and the only people suffering are those dirty Wall Street bankers everyone loves to hate.  Even debit card fraud is only slightly more irritating when dealing with small community banks and credit unions who are likely to have the consumer protections as credit cards.

Is the public suffering from apathy when companies experience a security breach?  Is security dead and the inconvenience of having information compromised something that we will just have to put up with going forward?  If we are not there yet we may be getting there soon.  When examining investor confidence of companies that have security incidents there appears to be very little concern, even for large security breaches.  When compared to the overall S&P 500 Index several of these companies rise and fall along with the Index.  This would indicate that any declines in share price are related to the Index itself falling.

In recent days EMC and SPX are up and down together.

2011-06-03-EMC-SPX-PROPHET

 

Lockheed Martin experienced a large percent move relative to SPX, but the ups and downs do have some correlation.

2011-06-03-LMT-SPX-PROPHET

L-3 Communications has moved with SPX very closely since news of the intrusion broke.

2011-06-03-LLL-SPX-PROPHET

 

Sony has underperformed when compared to SPX and their stock price has been affected the by multiple intrusions and related news stories.2011-06-03-SNE-SPX-PROPHET

 

EMC declined in mid March after the breach.  The decline of about 10% was relatively small compared to what it could have been.  Three months later EMC is performing as if the breach and any long term issues are a distant memory.  EMC is currently trading in a range between 27 and 28.75.

2011-06-03-EMC-PROPHET

 

Near the end of May Lockheed Martin announced that they had been the victims of a security breach.  Nothing unusual happened to the stock price and the declines can be correlated to losses in the general market. 

2011-06-03-LMT-PROPHET

 

 

L-3 Communications has also been pulling back, but seeing a shooting star candle and confirmation the next day that could be expected.  We can assume that any loss in value is simply related to overall market corrections.

 

2011-06-03-LLL-PROPHET

 

Sony may be the exception since they have lost a lot of value since March.  Sony is different than Lockheed or L-3.  They have been punished multiple times by various hacking groups and the news stories simply won’t go away.  The decline is about 30%.

2011-06-03-SNE-PROPHET

 

Compare and contrast the charts above with this chart of BP after the Deepwater Horizon explosion.The stock declined almost 50% before beginning to recover and reached –30% after a week.

2011-06-04-BP-PROPHET

 

There are differences between all of the companies which does not allow an apples-to-apples comparison.  Customers of Lockheed Martin can’t obtain a substitute from someone else as easily as Sony customers.  BP is in the business of tangible goods and an oil spill has different impact in the minds of investors and the public than a data breach.

Conclusion:

Based on non-scientific, casual observations, a one-time news event has little effect on the stock price when compared to multiple news stories over a period of time.  This is important to the overall business ecosystem from several viewpoints

  • Short sellers in the market may be able to take advantage of short term moves in price, but if the story fades from the news it would be best to cover and wait for more news.
  • Hacktivists wanting to teach a long term lesson to a company will need to hit them multiple times or release breadcrumbs of information over a period of time to keep the story in the news so it can wear on investor sentiment.
  • Consumers will need to accept that the impact to a company will be relatively minor if they mishandle private data one time. Wall Street will not severely punish the companies for poor data handling practices.
  • Security and Privacy professionals will need to give up on selling the idea that a one-time security breach will harm their client’s business.  Based on these stock charts there is little incentive to spend money on prevention.
  • Consumers are at the mercy of the companies they deal with and simply put up with the inconvenience. There is little evidence of a crippling or destroying exodus of customers or a change in consumer behavior.

 

 

Disclosure: We currently have no long or short positions mentioned in this post. We may have held positions in the past.

Improve Security & Privacy, and Protect Your Patrons by Reducing Security

 

 

The Seattle Times has an interesting story about the King County Library System removing their security cameras.  This is an excellent case study to illustrate that more security equipment does not always lead to better security.  The case stems from an incident where a patron was mugged in the parking lot.  The Des Moines Police asked to see the security footage from the cameras, but the library refused, presumably citing the need to protect their customers’ privacy.  The police obtained a court order to review the footage and eventually caught the suspect.  The police were not happy with the library’s cooperation.

The decision to remove the security cameras "hinders our ability to do police work," Collins (Des Moines PD Spokesperson) said.

The library made the decision to remove the security cameras to prevent similar incidents in the future.  Does removing the security cameras actually present a problem from a security professionals point of view?  We can perform an assessment of the situation to determine if the library is making a prudent decision.  Top management at the library has decided that the confidentiality of the library patrons outweighs any benefit that the security cameras provide.  Under a security management framework such as ISO 27001, top management determines the goals for an organization’s security program.  In this case library management is correct in making the decision to remove the security cameras since the security framework leaves all decisions to top management.

Under the ISO 27001 framework risk assessments must be conducted on a periodic basis.  To visually express top management’s decision we can use CIA in a risk matrix to illustrate their concerns.  The following examples are illustrative only.

 

Risk Confidentiality Integrity Availability
Customer Reading Choice Compromise High Low Low
Vandals Low Low Low
Muggers Low Low Low

 

In this case management has decided that the risk all of a patron’s reading choices being recorded by surveillance cameras is of greater concern than other things that may be seen by the cameras.  Based on the risks it would be logical to remove the cameras.  What about hindering the police in their line of work?  That should not be a concern of a security professional consulting on behalf of or employed by the library.  There are numerous reasons why this is true.  Management at the library has decided there are certain things that the police should not have access to.  This is no different than protecting the physical premises of a business or using logical access controls to prohibit viewing of specific files.  Who the outside threat is should not be a concern to the security professional under the ISO 27001 framework.

There also financial reasons that weigh into the decision to remove the cameras.  In most businesses a compliance professional or paralegal will be fielding court orders for data.  A fulltime resource would cost a minimum of $30,000 a year.  Does spending that $30,000 a year bring $30,000 worth of value to the customer?  It does not bring benefit to the customer, but it does benefit the police.  Since the police are not part of the same organization it makes very little sense to help them from a security professional or management accountant’s point of view.  If the video footage is that important to the police they should provide the equipment and manpower to monitor it or the library should invoice the police for their costs of maintaining the equipment. 

If we take off our security hats for a moment and put on our management accounting hats we can see that helping law enforcement does not provide economic benefit to the organization.  Therefore in order to save $30,000 by not hiring a fulltime resource we would need to remove the reason for hiring a resource.  We now have a business reason to remove the cameras.

Critics may argue that the cameras are already paid for and removing them wastes taxpayer money.  Once again we will need to do a financial analysis to determine whether or not the cameras should stay.  Most camera systems today are linked into a DVR which is usually supported by an organization’s IT department.  For purposes of this illustration we will assume that the camera systems are basically computers.  Computers have a five year depreciation before they are scrapped and removed from an organization’s financial books.  How many companies keep computers more than five years?  From a practical and a financial standpoint we can assume that the camera system would be replaced every five years much like a computer would.

The library system has also stated that the cost of maintaining the camera system is $30,000 per year.  Presumably this is the cost of a maintenance contract.  By removing the cameras the library immediately starts saving $30,000 a year.  One way to express loss of value is to take the current depreciation value of the cameras, subtract the value the library receives from selling the equipment, and subtract the $30,000 a year in maintenance savings.  If the cameras are very old and have a little financial value that it is possible that we will have a negative number, which means that the removal of the cameras provide immediate payoff.  Without knowing the details of the original purchase it is reasonable to assume that if the cameras are one or two years old we would obtain immediate ROI by removing the cameras, selling them, then begin booking the savings from canceling the maintenance contract.  If factoring in the cost of a compliance professional or paralegal is done, it is possible the camera system could be scrapped in its first year of operation based on the savings that would occur in years two and beyond.  There is also the capital budget savings from not purchasing a new camera system every five years.

Security and privacy professionals should not assume that more is always better.  Introducing additional equipment and processes can compromise the security and privacy of a client’s customers.  Top management at the organization determines what risks face that organization.  While it may be unconventional to assume that law enforcement is a security risk, there is certainly nothing wrong with that approach if the organization chooses to classify them as a risk.  Security and privacy professionals must also wear many different hats.  By taking unconventional approaches to security and privacy, and by involving other disciplines such as accounting and finance, security and privacy professionals can better serve their clients by protecting what their clients determine to be valuable.

Protecting Your Cellphone Privacy

The Ohio Supreme Court has ruled that the contents of your cellphone is private information and authorities can not browse your mobile device without a warrant.  This is great news for the American People.

 

The Ohio Supreme Court ruled this month, by a 4-to-3 vote, that the search violated the Fourth Amendment’s protection against unreasonable search and seizure. Rather than seeing a cellphone as a simple closed container, the majority noted that modern cellphones — especially ones that permit Internet access — are “capable of storing a wealth of digitized information.”

This is information, the court said, for which people reasonably have a high expectation of privacy, and under established Fourth Amendment principles, police officers must get a search warrant before they can look through call logs or examine other data. The court wisely decided that it made no sense to try to distinguish among various kinds of cellphones based on what specific functions they have. All cellphones, the court said, fall under the search warrant requirement.

The judges were wise in their decision.  Modern smartphones contain a great deal of information that you don’t want falling into unauthorized hands.  Today many people sync their entire online address book to their phones.  Also consider that social networking applications app could expose your associations beyond the address book on your phone. And while not sound information security practice, many small businesses use free email services and employees do work on personal equipment.  As an employee, you could be exposing your employer’s business to unauthorized viewing.  Small business employers should also be concerned.  You normally don’t want just anyone reading your company information without a proper NDA.  If you are planning to IPO anytime soon, this would not be a good thing.

You can protect yourself by setting the password on your phone.  I won’t go into specific details since there are many different phones.  A 4-digit PIN is all you can get out of most older phones.  If you have the option to set a password that consists of other characters you might consider enabling that feature. Password protecting your phone will also help prevent anyone from going through its contents or making calls using your account.  If you’re going to put a password on your phone for privacy reasons, then consider the cost of someone using your phone to make international long distance calls. 

Many people put off reading the user manual, but now might be the time to take a look.