Brita Wagener, the Consul General of the Federal Republic of Germany in New York opened the breakfast event by providing an overview of the institutions at the German House in New York. She then discussed the importance of cyber security with respect to electoral manipulation, data theft, cyber warfare, companies and utilities being hacked, and data regulations in various countries.
Mr. William Lymer, co-founder of ARC4DIA Cyber Defense and the moderator of the event presented the three key themes of the discussion, which were hacking trends and tools of the trade, cyber regulation in the EU and the U.S., and prevention and breach management. He then introduced the panelists and posed the first question about hackers’ goals to Mrs. Joanna Burkey, Chief Information Security Officer for Computer and Network Security at Siemens USA.
According to Mrs. Burkey there are two important things to look at in terms of hackers’ ultimate goal, which are what are they doing once they get into your environment and how they get there. Hackers almost exclusively hack into people’s environments through social engineering. Social engineering involves, attackers’ attempt to understand how we as humans think in order to exploit human behavior and thought. This includes sending targeted emails and dropping maliciously infected websites in front of employees or home users and using social engineering to trick people. This leads to cyber threats such as malware and ransomware.
Philip Kibler, head of Cyber Risk Consulting at AIG, provided examples of highly sophisticated social engineering attacks and stated that 80 to 90% of the issues at AIG generally involve some type of human error. These cases may involve phishing, using a weak password, or using out-of-date platforms that are not being patched. One way to prohibit these types of cyberattacks is to think diabolically like the attackers who intend to harm others. Therefore, it is important for an AIG client to assume that a hacker has the same amount of access to the client’s sensitive information and that the attackers know about one’s hidden weaknesses.
Nicholas Johnston, vice president of Global eDiscovery, Forensic Technology and Information Security/Cybersecurity Services at Duff & Phelps pointed out that the majority of cyberattack cases involve hackers with a financial motivation to attack an organization. Cyberattacks that are not as common are state sponsored intrusions and mischievous people who want to do harm. As a result, there has been a transition from identity theft to ransomware, in which data is held hostage, since this provides a quick turnaround. For this reason hackers essentially want to find the path of least resistance. Mr. Johnston said that social engineering and going after the human element is typically the first avenue that a hacker takes. As an alternative, a hacker will try to breach a third party whose security controls are not as good as the primary target.
Joseph V. DeMarco, partner at DeVore & DeMarco LLP was initially asked a question about retaliation, i.e. if an enterprise is attacked, can it take retaliatory measures and strike back. He said that he advises organizations not to retaliate against the attackers, since any significant cyber security event needs to be completely within the confines of the law. Unless you are a governmental organization, you generally do not have the authority under U.S. law to attack someone else’s system.
The next phase of the panel discussion focused on the regulatory environment in the EU and the U.S. s. Mrs. Burkey, who works for Siemens, explained how important it is to take into account the very different regulatory systems and laws that exist in different countries. She emphasized that in security monitoring and setting up adequate internal services, collaboration across companies is important and collaboration within your own business is strongly advised.
Mr. Lymer then mentioned that the New York State Department of Financial Services has introduced “first-in-the-nation cyber regulations” and Mr. Johnston said that, in general, regulations that attempt to standardize and increase the overall level of security are important initiatives.
Another regulation under consideration and being developed by FICO is the implementation of a so-called cyber score that firms need to publish in order to publicly identify themselves. Mr. Kibler stated that it is something a lot of people would like to have. The positive outcome would be an incentive for firms to keep track of their scores and attempting to achieve higher scores while questioning why their scores are relatively low or decreasing. Mr. DeMarco argued that a score could positively affect firms and risk in the sense that it is a data point, but if it were relied upon too much, it would not materially improve the situation. A lot more is needed on the policy and technical side as well as the human level in order to prevent cyberattacks.
When looking at European and U.S. security regulations, Mr. DeMarco finds that there is significant room for improvement for European and American companies in the areas of breach preparedness and breach response. The U.S. is ahead of the EU in terms of breach response, because American companies have been undergoing mandatory breach notification for a longer time, which is now coming to the EU.
Mr. Kibler made the point that the vast of majority of products that consumers buy are themselves vulnerable to cyberattacks. He noted that in the U.S. it is a buyer-beware market, in which companies rush to commercialization and try to beat the competition. The result is that manufacturers are leaving consumers vulnerable. Mr. Johnston agreed that software companies should be releasing products with minimal bugs, vulnerabilities, and security issues. Mr. Kibler continued to make his point about the vulnerabilities of technology in 2017 and beyond, by highlighting the dangers of security risks of smart devices and sensors in the Internet of Things.
When it comes to breach management and prevention, Mr. Kibler advised the audience to prevent being a soft target and to instead become a hard target, which means becoming less interesting and vulnerable to the attacker. It is always possible to break into a business, so you want to make it as difficult as possible for attackers to break into your network. If the return on investment is not high enough for attackers, then they will search for another target. In addition, it is important to assess what could be vulnerable assets and data in your inventory, to look out for anomalous behavior in your environment, and to train employees how to be aware. From a technical viewpoint, Mr. Johnston mentioned that it is also important for organizations to keep logs and gather data in order to move forward in an investigation.
In the Q&A that followed, the speakers answered questions from the audience that ranged from data retention, a vulnerability index related to a company’s possible financial losses, to difficulties in an understanding of how to underwrite cyber security risk.
