I often get asked what I do for a living, which has proven next to impossible to explain. Most of the time it goes something like “I protect my company from people like Wikileaks” — which is both correct, and wholly inaccurate. I work in information security for a major financial services company, which means that my primary job is to protect our clients’ data, money, and privacy. As a financial institution, our business is based around a pretty simple concept: trust. If we can’t protect their money, ensure the safety of their information, or keep our systems online and available for them to use, they will move to someone who will.
This all presents some interesting situations, especially as lawmakers try to legislate in our arena. It’s always interesting to hear what people who have no idea about cyber security think we should be doing to keep our companies, and country, safe. You may have noticed that there is a bill that keeps popping up in conversation over the past year called the Cyber Intelligence Sharing and Protection Act, or CISPA. On the surface, it seems like a very logical solution. As a country, we see attacks happening all over the place and it makes sense that a concerted government response would mitigate some of the risks, but let’s discuss cyber security a little more before we make our minds up.
We all have seen the denial of service attacks that have hit major banks around the country. Denial of service attacks can be a part of what we call zero-day attacks. This means that they take advantage of a vulnerability that was previously unknown, such that the attack is day zero of awareness. Other forms of zero day attacks would be worms, viruses, Trojans, and other forms of malware. There is a side that argues that if we have better information sharing, the window for zero day attacks shrinks due to more eyes on the code and quicker identification of vulnerabilities. This is very true, but it doesn’t cover situations where companies have privately developed code which isn’t shared outside of the company.
There are many different threats to our private companies, as well as our government. There are nation states that actively sponsor cyber-attacks, such as China. When hackers benefit from backing from foreign governments, it can be very hard to compete and stay safe. Hacking is also sold as a service. Do you think its expensive to hire a hacker? Think again. Here is a price list from late 2012:
Hacking corporate mailbox: $500
Winlocker ransomware: $10-20
Unintelligent exploit bundle: $25
Intelligent exploit bundle: $10-$3,000
Basic crypter (for inserting rogue code into a benign file): $10-$30
SOCKS bot (to get around firewalls): $100
Hiring a DDoS attack: $30-$70/day, $1,200/month
Botnet: $200 for 2,000 bots
DDoS botnet: $700
ZeuS source code: $200-$500
Windows rootkit (for installing malicious drivers): $292
Hacking Facebook or Twitter account: $130
Hacking Gmail account: $162
Email spam: $10 per one million emails
Email spam (using a customer database): $50-$500 per one million emails
SMS spam: $3-$150 per 100-100,000 messages
I won’t get into what each one does, but the point is that it is much more expensive to secure ourselves than it is for someone to hire a Russian hacking network to hack a corporate mailbox. And don’t make the mistake of thinking that these people are amateurs; they are good at what they do. As the Wall Street Journal recently reported, a Russian network is believed to be responsible for an assault on a major European agency that fights spam, which brought down internet speeds worldwide.
Want another example of what we are dealing with? From Spiegel.de: “In August 2005, hackers, presumably from Eastern Europe, demanded that German online gambling site Fluxx pay them €40,000 in the form of a Western Union wire transfer, in return for their stopping DDoS attacks on the company. The Germans refused to pay. British and other online casinos and gambling sites were not as resolute — they paid a total of $4 million in ransom money to a gang of Russian hackers.”
Now let’s talk about what we do to protect ourselves. We already work with each other. I don’t know of any major company that isn’t part of some sort of information sharing group between private companies. There are things like the Financial Services Information Security and Analysis Center or FS-ISAC, which top financial services utilize to keep each other aware of trends and threat levels in the financial sector. By staying alert to what we see, we protect each other. There are many other examples of things like this, but the key point is that the data is shared without threatening personal privacy. If any data is shared, its scrubbed of all PII, which is anything which could identify you, such as: user IDs, names, addresses, phone numbers, etc. We also focus entirely on cyber security.
Top companies also have huge information security departments, and if they don’t they are rapidly building them. The demand for security professionals has skyrocketed in the last few years, and looks like it will continue to for a while.
It is vitally important that companies work diligently to identify vulnerabilities in code before they ever go out the door, and most companies have things like software development life-cycle programs to find problems before going into production. There are also vulnerability scanning tools that allow us to scan out networks and try to stay ahead of external malicious actors.
The key to me is that we all work together to share strategies: share coding practices that are most secure, share information on how attackers are getting in, share ideas on how security can be better. Keep the focus on cyber security, not national defense.
The problem with measures such as CISPA is that they don’t have the same focus. CISPA allows the sharing of data to investigate crimes that have nothing to do with cyber threats, and could be utilized as some sort of willy nilly digital wiretap. Data doesn’t have to be “cleansed” of personal information, and it also gives immunity to private companies so that they can’t be sued for negligence or mishandling consumers’ data.
How would that impact businesses in the US? The biggest impact I see is that Europe already has much more stringent privacy laws, so if CISPA were enacted I would be seriously concerned about how our companies operated around the world. There would at the very least have to be a segregation of data so that European data didn’t get drawn into the CISPA regulations, or worse, it would drive our companies out of Europe and force us to exclusively use subsidiaries to do business abroad, which would eat at profits and kill our ability to be competitive.
I have been secretly hoping that our country would move in the direction of unifying with Europe with our privacy laws, but it looks like we are going the other way. Is that any surprise given how enthusiastically we jumped at things such as the PATRIOT Act?
Guest columnist Matthew Martin is a Sr. Information Security Analyst who works with Fortune 100 financial institutions. He holds an MS from Valparaiso University, and is finishing his MBA at the University of North Carolina at Charlotte. His specialities are information security metrics, governance, and risk decision modeling. When he isn’t covered in data, Matthew is covered in diapers and formula while chasing around his 9 month old triplets.
If you’re curious about where CISPA allows private companies to share your private data, here is a list*:
Agencies within the Executive Office of the President:
Council of Economic Advisers
Council on Environmental Quality
Domestic Policy Council
National Economic Council
National Security Council
Office of Administration
Office of Faith-Based and Neighborhood Partnerships
Office of Management and Budget
Office of National AIDS Policy
Office of National Drug Control Policy
Office of Intergovernmental Affairs and Public Engagement
Office of Science and Technology Policy
Office of the President
Office of the First Lady
Office of the First Children
Office of the Vice President
Office of the Second Lady
Office of the Second Children
President’s Economic Recovery Advisory Board
President’s Intelligence Oversight Board
President’s Intelligence Advisory Board
United States Trade Representative
White House Office
White House Military Office
Agencies within the Department of Agriculture:
Agricultural Marketing Service
Agricultural Research Service
Animal and Plant Health Inspection Service
Center for Nutrition Policy and Promotion
Economic Research Service
Farm Service Agency
Commodity Credit Corporation
Food and Nutrition Service
Food Safety and Inspection Service
Foreign Agricultural Service
Forest Service
Grain Inspection, Packers and Stockyards Administration
Marketing and Regulatory Programs
National Agricultural Statistics Service
National Institute of Food and Agriculture
4-H
Natural Resources Conservation Service
Risk Management Agency
Federal Crop Insurance Corporation
Rural Business and Cooperative Programs
Office of Rural Development
Research, Education and Economics
Rural Housing Service
Rural Utilities Service
Agencies within the Department of Commerce:
Census Bureau
Bureau of Economic Analysis
Bureau of Industry and Security
Economic Development Administration
Economics and Statistics Administration
Export Enforcement
Import Administration
International Trade Administration
Office of Travel and Tourism Industries
Invest in America
Manufacturing and Services
Marine and Aviation Operations
Market Access and Compliance
Minority Business Development Agency
National Oceanic and Atmospheric Administration
NOAA Commissioned Corps
National Environmental Satellite, Data, and Information Service
National Marine Fisheries Service
National Oceanic Service
National Weather Service
National Telecommunications and Information Administration
Patent and Trademark Office
National Institute of Standards and Technology
National Technical Information Service
Trade Promotion and the U.S. And Foreign Commercial Service
Agencies within the Department of Defense:
Department of the Army
United States Army
Army Intelligence and Security Command
Army Corps of Engineers
Department of the Navy
United States Navy
Office of Naval Intelligence
U.S. Naval Academy
Marine Corps
Marine Corps Intelligence Activity
Department of the Air Force
United States Air Force
Civil Air Patrol
Air Force Intelligence, Surveillance and Reconnaissance Agency
Joint Chiefs of Staff
J-2 Intelligence
National Guard Bureau
Natural Disaster and Disaster Help Program
J-2 Intelligence Directorate
Air National Guard
Army National Guard
America Citizen Militia
America Citizen Militia Intelligence
Defense Advanced Research Projects Agency
Defense Commissary Agency
Defense Contract Audit Agency
Defense Contract Management Agency
Defense Finance and Accounting Service
Defense Information Systems Agency
Defense Intelligence Agency
Defense Logistics Agency
Defense Security Cooperation Agency
Defense Security Service
Defense Technical Information Center
Defense Threat Reduction Agency
Missile Defense Agency
National Security Agency
Central Security Service
National Reconnaissance Office
National Geospatial-Intelligence Agency
Naval Criminal Investigative Service
Pentagon Force Protection Agency
United States Pentagon Police
American Forces Information Service
Defense Prisoner of War/Missing Personnel Office
Department of Defense Education Activity
Department of Defense Dependents Schools
Defense Human Resources Activity
Office of Economic Adjustment
TRICARE Management Activity
Washington Headquarters Services
West Point Military Academy
Agencies within the Department of Education:
Federal Student Aid
Institute of Education Sciences
National Center for Education Statistics
National Center for Education Evaluation and Regional Assistance
Education Resources Information Center
National Center for Education Research
National Center for Special Education Research
National Assessment Governing Board
National Assessment of Educational Progress
Office for Civil Rights
Office of Elementary and Secondary Education
Office of Safe and Healthy Students
Office of Postsecondary Education
Office of Special Education and Rehabilitative Services
National Institute on Disability and Rehabilitation Research
Office of Special Education Programs
Rehabilitation Services Administration
Special institutions
American Printing House for the Blind
National Technical Institute for the Deaf
Gallaudet University
Office of Vocational and Adult Education
Agencies within the Department of Energy:
Energy Information Administration
Federal Energy Regulatory Commission
National Laboratories & Technology Centers
University Corporation for Atmospheric Research
National Nuclear Security Administration
Power Marketing Administrations:
Bonneville Power Administration
Southeastern Power Administration
Southwestern Power Administration
Western Area Power Administration
Agencies within the Department of Health and Human Services:
Administration on Aging
Administration for Children and Families
Administration for Children, Youth and Families
Agency for Healthcare Research and Quality
Centers for Disease Control and Prevention
National Institute for Occupational Safety and Health
Epidemic Intelligence Service
National Center for Health Statistics
Centers for Medicare and Medicaid Services
Food and Drug Administration
Reagan-Udall Foundation
Health Resources and Services Administration
Patient Affordable Healthcare Care Act Program {to be implemented fully in 2014}
Independent Payment Advisory Board
Indian Health Service
National Institutes of Health
National Health Intelligence Service
Public Health Service
Federal Occupational Health
Office of the Surgeon General
United States Public Health Service Commissioned Corps
Substance Abuse and Mental Health Services Administration
Within the Department of Homeland Security
Agencies
Federal Emergency Management Agency
FEMA Corps
U.S. Fire Administration
National Flood Insurance Program
Federal Law Enforcement Training Center
Transportation Security Administration
United States Citizenship and Immigration Services
United States Coast Guard (Transfers to Department of Defense during declared war or national emergency)
Coast Guard Intelligence
National Ice Center
United States Ice Patrol
United States Customs and Border Protection
Office of Air and Marine
Office of Border Patrol
U.S. Border Patrol
Border Patrol Intelligence
Office of Field Operations
United States Immigration and Customs Enforcement
United States Secret Service
Secret Service Intelligence Service
Offices
Domestic Nuclear Detection Office
Office of Health Affairs
Office of Component Services
Office of International Affairs and Global Health Security
Office of Medical Readiness
Office of Weapons of Mass Destruction and Biodefense
Office of Intelligence and Analysis
Office of Operations Coordination
Office of Policy
Homeland Security Advisory Council
Office of International Affairs
Office of Immigration Statistics
Office of Policy Development
Office for State and Local Law Enforcement
Office of Strategic Plans
Private Sector Office
Management
Directorate for Management
National Protection and Programs
National Protection and Programs Directorate
Federal Protective Service
Office of Cybersecurity and Communications
National Communications System
National Cyber Security Division
United States Computer Emergency Readiness Team
Office of Emergency Communications
Office of Infrastructure Protection
Office of Risk Management and Analysis
United States Visitor and Immigrant Status Indicator Technology (US-VISIT)
Science and Technology
Science and Technology Directorate
Environmental Measurements Laboratory
Portfolios
Innovation/Homeland Security Advanced Research Projects Agency
Office of Research
Office of National Laboratories
Office of University Programs
Program Executive Office, Counter Improvised Explosive Device
Office of Transition
Commercialization Office
Long Range Broad Agency Announcement Office
Product Transition Office
Safety Act Office
Technology Transfer Office
Divisions
Border and Maritime Security Division
Chemical and Biological Division
Command, Control and Interoperability Division
Explosives Division
Human Factors Division
Infrastructure/Geophysical Division
Offices and Institutes
Business Operations Division
Executive Secretariat Office
Human Capital Office
Key Security Office
Office of the Chief Administrative Officer
Office of the Chief Information Officer
Planning and Management
Corporate Communications Division
Interagency and First Responders Programs Division
International Cooperative Programs Office
Operations Analysis Division
Homeland Security Studies and Analysis Institute
Homeland Security Systems Engineering and Development Institute
Strategy, Policy and Budget Division
Special Programs Division
Test & Evaluation and Standards Division
Within the Department of Housing and Urban Development
Agencies
Federal Housing Administration
Federal Housing Finance Agency
Offices
Center for Faith-Based and Neighborhood Partnerships (HUD)
Departmental Enforcement Center
Office of Community Planning and Development
Office of Congressional and Intergovernmental Relations
Office of Equal Employment Opportunity
Office of Fair Housing and Equal Opportunity
Office of Field Policy and Management
Office of the General Counsel
Office of Healthy Homes and Lead Hazard Control
Office of Hearings and Appeals
Office of Labor Relations
Office of Policy Development and Research
Office of Public Affairs
Office of Public and Indian Housing
Office of Small and Disadvantaged Business Utilization
Office of Sustainable Housing and Communities
Corporation
Government National Mortgage Association (Ginnie Mae)
Within the Department of the Interior
Agencies:
Bureau of Indian Affairs
Bureau of Land Management
Bureau of Reclamation
Fish and Wildlife Service
Bureau of Ocean Energy Management (formerly Minerals Management Service)
Bureau of Safety and Environmental Enforcement (formerly Minerals Management Service)
National Park Service
Office of Insular Affairs
Office of Surface Mining
National Mine Map Repository
United States Geological Survey
Within the Department of Justice
Agencies:
Antitrust Division
Asset Forfeiture Program
Bureau of Alcohol, Tobacco, Firearms and Explosives
Civil Division
Civil Rights Division
Community Oriented Policing Services
Community Relations Service
Criminal Division
Diversion Control Program
Drug Enforcement Administration
Environment and Natural Resources Division
Executive Office for Immigration Review
Executive Office for Organized Crime Drug Enforcement Task Forces
Executive Office for United States Attorneys
Executive Office for United States Trustees
Federal Bureau of Investigation
Federal Bureau of Prisons
UNICOR
Foreign Claims Settlement Commission
INTERPOL – United States National Central Bureau
Justice Management Division
National Crime Information Center
National Drug Intelligence Center
National Institute of Corrections
National Security Division
Office of the Associate Attorney General
Office of the Attorney General
Office of Attorney Recruitment and Management
Office of the Chief Information Officer
Office of the Deputy Attorney General
Office of Dispute Resolution
Office of the Federal Detention Trustee
Office of Information Policy
Office of Intergovernmental and Public Liaison
Office of Intelligence and Analysis
Office of Justice Programs
Bureau of Justice Assistance
Bureau of Justice Statistics
Community Capacity Development Office
National Criminal Justice Reference Service
National Institute of Justice
Office of Juvenile Justice and Delinquency Prevention
Office for Victims of Crime
Office of Legal Counsel
Office of Legal Policy
Office of Legislative Affairs
Office of the Pardon Attorney
Office of Privacy and Civil Liberties
Office of Professional Responsibility
Office of Public Affairs
Office of Sex Offender Sentencing, Monitoring, Apprehending, Registering and Tracking
Office of the Solicitor General
Office of Special Counsel
Office of Tribal Justice
Office on Violence Against Women
Professional Responsibility Advisory Office
Tax Division
United States Attorneys
United States Marshals
United States Parole Commission
United States Trustee Program
Within the Department of Labor
Agencies and Bureaus
Bureau of International Labor Affairs
Bureau of Labor Statistics
Center for Faith-Based and Neighborhood Partnerships (DOL)
Employee Benefits Security Administration
Employment and Training Administration
Job Corps
Mine Safety and Health Administration
Occupational Safety and Health Administration
Pension Benefit Guaranty Corporation
Veterans’ Employment and Training Service
Wage and Hour Division
Women’s Bureau
Boards
Administrative Review Board
Benefits Review Board
Employees’ Compensation Appeals Board
Offices
Office of Administrative Law Judges
Office of the Assistant Secretary for Administration and Management
Office of the Assistant Secretary for Policy
Office of the Chief Financial Officer
Office of the Chief Information Officer
Office of Congressional and Intergovernmental Affairs
Office of Disability Employment Policy
Office of Federal Contract Compliance Programs
Office of Labor-Management Standards
Office of the Solicitor
Office of Worker’s Compensation Program
Ombudsman for the Energy Employees Occupational Illness Compensation Program
Within the Department of State
Agencies and Bureaus
National Council for the Traditional Arts
Reporting to the Secretary
Bureau of Intelligence and Research
Bureau of Legislative Affairs
Office of the Legal Adviser
Reporting to the Deputy Secretary for Management and Resources
Executive Secretariat
Office of the Chief of Protocol
Office for Civil Rights
Office of the Coordinator for Counterterrorism
Office of the United States Global AIDS Coordinator
Office of Global Criminal Justice
Policy Planning Staff
Reporting to the Under Secretary for Arms Control and International Security
Bureau of International Security and Nonproliferation
Bureau of Political-Military Affairs
Bureau of Arms Control, Verification and Compliance
Reporting to the Under Secretary for Democracy and Global Affairs
Bureau of Democracy, Human Rights, and Labor
Bureau of Oceans and International Environmental and Scientific Affairs
Bureau of Population, Refugees, and Migration
Office to Monitor and Combat Trafficking in Persons
Reporting to the Under Secretary for Economic, Energy and Agricultural Affairs
Bureau of Economic, Energy and Business Affairs
Reporting to the Under Secretary for Management
Bureau of Administration
Bureau of Consular Affairs
Office of Overseas Citizens Services
Bureau of Diplomatic Security (DS)
Diplomatic Security Service (DSS)
Office of Foreign Missions (OFM)
Overseas Security Advisory Council (OSAC)
Bureau of Human Resources
Family Liaison Office
Bureau of Information Resource Management
Bureau of Overseas Buildings Operations
Bureau of Resource Management
Foreign Service Institute
Office of Management Policy, Rightsizing and Innovation
Reporting to the Under Secretary for Political Affairs
Bureau of African Affairs
Bureau of East Asian and Pacific Affairs
Bureau of European and Eurasian Affairs
Bureau for International Narcotics and Law Enforcement Affairs
Bureau of International Organization Affairs
Bureau of Near Eastern Affairs
Bureau of South and Central Asian Affairs
Bureau of Western Hemisphere Affairs
Reporting to the Under Secretary for Public Diplomacy and Public Affairs
Bureau of Educational and Cultural Affairs
Bureau of International Information Programs
Bureau of Public Affairs
Office of the Historian
Office of Policy, Planning and Resources for Public Diplomacy and Public Affairs
Permanent Diplomatic Missions
United States Mission to the African Union
United States Mission to ASEAN
United States mission to the Arab League
United States mission to the Council of Europe (and to all other European Agencies)
United States Mission to International Organizations in Vienna
United States Mission to the European Union
United States Mission to the International Civil Aviation Organization
United States Mission to the North Atlantic Treaty Organization
United States Mission to the Organisation for Economic Co-operation and Development
United States Mission to the Organization of American States
United States Mission to the Organization for Security and Cooperation in Europe
United States Mission to the United Nations
United States Mission to the UN Agencies in Rome
United States Mission to the United Nations Office and Other International Organizations in Geneva
United States Observer Mission to the United Nations Educational, Scientific, and Cultural Organization
United States Permanent Mission to the United Nations Environment Program and the United Nations Human Settlements Programme
Within the Department of Transportation
Agencies
Bureau of Transportation Statistics
Federal Aviation Administration
Air Traffic Organization
Federal Highway Administration
Federal Motor Carrier Safety Administration
Federal Railroad Administration
Federal Transit Administration
Maritime Administration
National Highway Traffic Safety Administration
Office of Intelligence, Security and Emergency Response
Pipeline and Hazardous Materials Safety Administration
Research and Innovative Technology Administration
Saint Lawrence Seaway Development Corporation
Surface Transportation Board
Within the Department of the Treasury
Agencies and Bureaus
Alcohol and Tobacco Tax and Trade Bureau
Bureau of Engraving and Printing
Bureau of the Public Debt
Community Development Financial Institutions Fund
Federal Consulting Group
Financial Crimes Enforcement Network
Financial Management Service
Internal Revenue Service
Office of the Comptroller of the Currency
Office of Thrift Supervision
Office of Financial Stability
United States Mint
Offices
Office of Domestic Finance
Office of Economic Policy
Office of International Affairs
Office of Tax Policy
Office of Terrorism and Financial Intelligence
Treasurer of the United States
Within the Department of Veterans Affairs
Agencies
National Cemetery Administration
Veterans Benefits Administration
Veterans Health Administration
Independent Agencies and Government Corporations
Administrative Conference of the United States
Advisory Council on Historic Preservation
African Development Foundation
Amtrak (National Railroad Passenger Corporation)
Armed Forces Retirement Home
Central Intelligence Agency
Commission on Civil Rights
Commodity Futures Trading Commission
Consumer Product Safety Commission
Corporation for National and Community Service
Corporation for Public Broadcasting
Court Services and Offender Supervision Agency
Defense Nuclear Facilities Safety Board
Election Assistance Commission
Environmental Protection Agency
Equal Employment Opportunity Commission
Export-Import Bank of the United States
Farm Credit Administration
Federal Communications Commission
Federal Deposit Insurance Corporation
Federal Election Commission
Federal Housing Finance Board
Federal Labor Relations Authority
Federal Maritime Commission
Federal Mediation and Conciliation Service
Federal Mine Safety and Health Review Commission
Federal Reserve System
United States Consumer Financial Protection Bureau
Federal Retirement Thrift Investment Board
Federal Trade Commission
General Services Administration
Helen Keller National Center
Institute of Museum and Library Services
Inter-American Foundation
International Broadcasting Bureau
Merit Systems Protection Board
Military Postal Service Agency
National Aeronautics and Space Administration
National Archives and Records Administration
Office of the Federal Register
National Capital Planning Commission
National Constitution Center
National Council on Disability
National Credit Union Administration
Central Liquidity Facility
National Endowment for the Arts
National Endowment for the Humanities
National Labor Relations Board
National Mediation Board
National Science Foundation
United States Antarctic Program
National Transportation Safety Board
Nuclear Regulatory Commission
Office of the Federal Coordinator, Alaska Natural Gas Transportation Projects
Occupational Safety and Health Review Commission
Office of Compliance
Office of Government Ethics
Office of Personnel Management
Federal Executive Institute
Combined Federal Campaign
Office of Special Counsel
Office of the National Counterintelligence Executive
Office of the Director of National Intelligence
Intelligence Advanced Research Projects Activity
Overseas Private Investment Corporation
Panama Canal Commission
Peace Corps
Postal Regulatory Commission
Railroad Retirement Board
Securities and Exchange Commission
Securities Investor Protection Corporation
Selective Service System
Small Business Administration
Social Security Administration
Tennessee Valley Authority
U.S. Trade and Development Agency
United States Agency for International Development
United States International Trade Commission
United States Postal Service
Inspectors General
Source: Electronic Frontier Foundation, “Under CISPA, Who Can Get Your Data?”