The Cybersecurity Playbook for Modern Enterprises E-Book

The Cybersecurity Playbook for Modern Enterprises

An end-to-end guide to preventing data breaches and cyber attacks

Jeremy Wittkop

BIRMINGHAM—MUMBAI

The Cybersecurity Playbook for Modern Enterprises

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Prachi Sawant

Senior Editor: Sangeeta Purkayastha

Content Development Editor: Nihar Kapadia

Technical Editor: Rajat Sharma

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Manju Arasan

Production Designer: Roshan Kawale

Marketing Coordinator: Hemangi Lotlikar

First published: March 2022

Production reference: 1010222

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80324-863-9

www.packt.com

To my wife, LeSean, for being my loving partner throughout our joint life journey. To every young person considering a career in cybersecurity. You will be on the front lines of the battle to defend our way of life for future generations.

– Jeremy Wittkop

Contributors

About the author

Jeremy Wittkop has spent the last decade architecting, implementing, and managing information protection programs for over a decade with a focus on helping multinational organizations comply with a changing regulatory landscape and protecting their most sensitive intellectual property. As InteliSecure's former chief technology officer, Jeremy was a foundational architect for InteliSecure's internationally recognized data protection, cloud security, and user and entity behavior analytics services. Jeremy is a trusted information protection thought-leader and a published author, blogger, public speaker, and advisor to clients as well as public and private equity investors.

Thank you to my wife, who always makes time in our busy lives to allow me to pursue my dreams. Also, thank you to my friend and technical editor, Cosmo, who is always there to make me laugh when I feel like frowning. A special thanks to the Packt team, you have been a pleasure to work with throughout.

About the reviewer

Cosmo Romero has worked in high-tech since 1998 and in cybersecurity since 2003. Cosmo has a bachelor's degree in high-tech management and has professional experience in networking, system administration, and cybersecurity. Today, Cosmo helps organizations adopt technology and services to secure data (Information Security) and manage the risk posed by trusted insiders (Insider Threat Management).

I would love to thank my family, friends, and mentors (you know who you are) for supporting me in reviewing this important work. Just know I could have never become me if it were not for all of you, so thank you! I love you all, everyone!

Table of Contents

Preface

Section 1 – Modern Security Challenges

Chapter 1: Protecting People, Information, and Systems – a Growing Problem

Why cybercrime is here to stay – a profitable business model

The macro-economic cost of cybercrime

The global cost of identity theft

Intellectual property and Western economies

Micro-level impacts and responses to cybercrime

The role of governments and regulation

Industry regulation

The growing need for data privacy regulation

Data sovereignty regulations

Workers' councils

The foundational elements of security

People

Information

Systems

The cybersecurity talent shortage

Summary

Check your understanding

Further reading

Chapter 2: The Human Side of Cybersecurity

People exploiting people

Social engineering techniques

Stealing credentials

Malicious software

The three types of insider threats

Well-meaning insiders

Compromised accounts

Malicious insiders

Summary

Check your understanding

Further reading

Chapter 3: Anatomy of an Attack

Understanding the risk from targeted attacks

Organized crime

State-sponsored actors and military operations

Hacktivists and terrorists

Insider threats

Risk treatment planning

Stages of an attack

Extortion

Gaining access to target systems

Installing malicious software

Spreading the infection

Notifying the victim and making demands

Stealing information

Identifying what to steal

Gaining access to information

Aggregating information

Exfiltrating information

Generating economic benefit

System disruption or destruction

Attacks on critical infrastructure

Revenge attacks

Cyber weapons of war

Attackers for hire

Dark web forums

Malware as a Service

Summary

Check your understanding

Further reading

Section 2 – Building an Effective Program

Chapter 4: Protecting People, Information, and Systems with Timeless Best Practices

The most important threat vector

Email attacks by the numbers

Types of email-based attacks

Time-honored best practices that could stop most breaches

Concept of Least Privilege

Need to Know

Role-Based Access Control

Identity Management

Vulnerability management and patching

Capabilities necessary in the remote world

Factors of authentication

Why your password is meaningless

Multifactor authentication

Network segmentation

Allowed applications

The role of human behavior

Behavior analysis for authentication

Behavior analysis for anomaly detection

Adaptive security in human behavior

The everything, everywhere world

Summary

Check your understanding

Further reading

Chapter 5: Protecting against Common Attacks by Partnering with End Users

A framework for effective training

Frequency

Content

Scope

Making your people your partners

Making people active participants

Simulations are better than presentations

Educating about data

Training people to protect against common hacking techniques

Social engineering awareness

Phishing training and prevention

Technologies supporting people

Tabletop exercises

Summary

Check your understanding

Further reading

Chapter 6: Information Security for a Changing World

Frames of reference

Military connection

Security triumvirates

Challenges with the traditional information security model

Protecting information

Challenges of information protection

Protecting information is a critical capability

Mapping data flows

Cross-functional collaboration

Securing networks and workloads – past, present, and future

Securing networks

Securing cloud workloads

Securing identities and granting access

Verifying identities

Granting access

Permissions accumulation

Human behavior

Securing endpoints

Summary

Check your understanding

Further reading

Section 3 – Solutions to Common Problems

Chapter 7: Difficulty Securing the Modern Enterprise (with Solutions!)

Cybersecurity talent shortage

Not enough people!

Services can help!

Automation

Too much technology with too little process

Console whiplash

Siloed programs

Lack of business involvement

What are we trying to accomplish?

Cyber risk is business risk

Risk treatment planning

Looking for material risk factors

Lack of continuing education

The pace of change

Updating certain skills

Applying timeless concepts

Summary

Check your understanding

Further reading

Chapter 8: Harnessing Automation Opportunities

Defining automation opportunities

A brief introduction to finance

Mapping a task by its cost basis

Documenting manual processes

Automating processes

Gathering data and applying context

Ethics in AI

Testing the system

The confusion matrix

Hybrid implementations

How attackers can leverage automation

Summary

Check your understanding

Further reading

Chapter 9: Cybersecurity at Home

Protecting children and teaching them about online safety

The permanence of social media

The truth behind the façade

The danger lurking online

Password managers

Multifactor authentication

Password complexity and why it matters

Stop publishing your information!

Scraping

Summary

Check your understanding

Further reading

Answers

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Why subscribe?

Other Books You May Enjoy

Preface

The world is becoming increasingly digitized. Businesses rely on information technology to allow them to compete in the modern economy. However, each innovation brings new threats and vulnerabilities that threaten our livelihoods, our identities, and the global economy. The threats we face have never been greater than they are today.

At the same time, we are facing a historic shortage of information security professionals who will help keep us safe. In the long term, we must attract more people to our field to help secure our environments and protect the most vulnerable among us. In the short term, we must build processes that maximize the people we have and the technologies available to us to defend against capable adversaries who seek to compromise our systems and steal our valuable information.

I wrote this book to share the knowledge I've gained over the last decade I've spent helping organizations defend against cyber threats. Too often, we get caught up in technology and tactics and forget to look at the big picture of what we are trying to accomplish. We see breaches in the headlines, but we fail to understand what went wrong and identify the lessons we can learn to enable a more secure future.

I am disheartened by stories I hear of people who want to get into cybersecurity but find it difficult to get started. We are desperate for talent in our discipline, and it is critical for us to make cybersecurity more accessible. It is my hope that those who read this book will be attracted to cybersecurity as a profession and will acquire the tools necessary to understand the space holistically.

Information is among the most valuable commodities in the world today. Our ability to protect it will determine the opportunities available to future generations.

Who this book is for

This book is for people who are considering a career in cybersecurity and need to understand the landscape. It is also for people who are in a single cybersecurity discipline who would like to expand their understanding to advance their careers. Finally, this book is for those who are skilled in cybersecurity but find it difficult to relate the concepts to non-technical people.

What this book covers

Chapter 1, Protecting People, Information, and Systems – a Growing Problem, introduces you to the modern cybersecurity landscape and provides examples of the problems we are facing.

Chapter 2, The Human Side of Cybersecurity, introduces the roles humans play in cybersecurity, on both the attacker and the defender sides. Cybersecurity is about people attacking people. While cybersecurity is new, the dynamics are as old as humanity itself.

Chapter 3, Anatomy of an Attack, introduces different attack types and how they typically happen. We will explore common techniques and what the attacker must accomplish to be successful.

Chapter 4, Protecting People, Information, and Systems with Timeless Best Practices, discusses how while many measures and countermeasures change with technology, some best practices are timeless and effective. We will explore these timeless best practices, which are rarely implemented effectively and could limit the damage caused by the majority of breaches.

Chapter 5, Protecting against Common Attacks by Partnering with End Users, discusses how people often think of security as the domain of a small team inside an environment. The best security programs partner with end users as the first and last lines of defense.

Chapter 6, Information Security for a Changing World, discusses how the pace of change is both faster than it has ever been and the slowest it will ever be. Change is the only constant, and it is accelerating. Future-proofing a security program requires a conceptual understanding of objectives that transcends technology.

Chapter 7, Difficulty Securing the Modern Enterprise (With Solutions!), looks at how there are a number of current challenges in the cybersecurity space with no easy answers. This chapter will talk about those challenges and provide recommendations for how you can solve them.

Chapter 8, Harnessing Automation Opportunities, discusses automation and how automation will not solve all of the problems associated with cybersecurity today. However, effective programs will find ways to use automation where appropriate to make people more effective.

Chapter 9, Cybersecurity at Home, looks at how, as the world is not just more dangerous for businesses, cybersecurity knowledge can also protect those who matter most to us at home.

To get the most out of this book

There are no prerequisites to reading this book other than an open mind, a positive attitude, and a thirst for knowledge.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781803248639_ColorImages.pdf.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you've read , we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Section 1 – Modern Security Challenges

The world is changing at an ever-increasing pace. The flywheel of technological innovation is spinning at such a rate that traditional change management is obsolete and change leadership has become the norm. Each new technology that affects the modern workplace presents new challenges for the teams chartered with securing the organization's most important systems and information.

Few people understand the breadth of the global cybercrime community and the actors who play a role. Understanding how attacks happen and why is critical to building the proper defenses to secure a modern enterprise.

This part of the book comprises the following chapters:

Chapter 1: Protecting People, Information, and Systems – a Growing Problem

Few people understand the sophistication of the global cybercrime community and the actors who play a role, understanding how attacks happen and why it is critical to build the proper defenses to secure the modern enterprise. The world is changing at an ever-increasing pace. The flywheel of technology innovation is spinning at such a rate that traditional change management is obsolete, and change leadership has become the norm. Each new technology that enhances the modern workplace presents new challenges for the teams chartered with securing the most important systems and information. It is impossible to predict the future, but by understanding timeless best practices, threats, and modern architectural techniques, it is possible to build a security posture that is flexible and resilient enough to meet current and future threats. Doing so is difficult and requires a deep strategic understanding of what you are trying to accomplish.

In this chapter, we will explore why cybercrime is appealing to criminals and the impact of cybercrime on the global community, introduce the core tenants of information security, and discuss the cybersecurity talent shortage. Throughout this chapter and the remainder of the book, we will explore example cases that provide real-world illustrations of the topics we will cover. At the end of each chapter, there are a few open-ended questions you should be able to answer in your own words after reading the chapter. After reading this chapter, you should be able to communicate these concepts to others and illustrate the main ideas with real-world examples.

In this chapter, we will cover the following topics:

Why cybercrime is here to stay – a profitable business model

In the year 2017, if cybercrime was a country, it would have the 13th highest GDP in the world, between South Korea and Australia. In 2021, according to a recent Cybercrime Magazine article, "If it were measured as a country, then cybercrime — which is predicted to inflict damages totaling $6 trillion USD globally in 2021 — would be the world's third-largest economy after the U.S. and China." (Morgan, Cybercrime to Cost the World $10.5 Trillion Annually by 2025, 2020). The same article predicts that the number will grow to $10.5 trillion by 2025. Part of the reason for this growth is that cybercrime is an attractive proposition for attackers.

Cybercrime is a very profitable business with few risks. Think of a bank robber. Prior to the invention of the internet, if someone wanted to rob a bank, they would need to be in the same physical location as the bank and plan to physically enter the bank and demand money and get away from the bank with the money without being apprehended by the authorities. If someone were to undertake such a robbery and were not successful, there is a significant likelihood that they would be arrested, wounded, or killed. Cybercriminals can attempt to rob thousands of banks around the globe with little fear of repercussions. If their attack is unsuccessful, they can simply move on and target another bank. Compare the risks and effort involved with the example case given as follows:

Example Case: The GozNym Gang and the $100 Million Heist

In 2016, the GozNym gang, using a piece of malicious software known as a banking trojan by the same name, stole $100 million from individual bank accounts, mostly in the United States and Europe. The GozNym banking trojan was a piece of malicious software the gang could install that would wait for a user to log onto a bank account, and then transmit their credentials to a GozNym server. Once they had the credentials, "certain members of the GozNym crew then used the stolen credentials to access the victim's bank account, to steal money from it, and launder the funds via US and foreign bank accounts controlled by the gang." (Vijayan, 2019)

This case was one of the few where the criminals were pursued across borders, and most were brought to justice. The numbers in this case are staggering. As a criminal endeavor, what other means outside of cybercrime could a criminal gang use to steal $100 million per year? Cybercrime is profitable and has a relatively low risk because a clever piece of software can victimize thousands of people with little effort on the part of the attacker. Adding to the allure for cybercriminals, in all but the largest cases, is that it is difficult to get the international cooperation necessary to identify the members of a criminal enterprise, find those people, and extradite them to another country for prosecution. In many cases, it is an open secret that criminal gangs are operating, and there is little political will to stop them. It is worth noting that this criminal gang chose to use traditional currency and bank accounts, which made them much easier to track. Criminal gangs using ransomware and cryptocurrency for payment are far less traceable. While their exploits are generally less lucrative, their risk of being caught is also far lower.

The Romanian city of Râmnicu Vâlcea is a well-known hotspot for cybercriminals. In this city, the cybercriminals are very wealthy and are unafraid to flaunt their wealth, since there is very little fear that they will be arrested and brought to justice. Cybercrime and the internet, along with anonymous cryptocurrencies and few global authorities with the power to pursue international criminals across jurisdictions, create the perfect conditions for the growth of cybercrime. While steps could be taken to curb the rise of cybercrime, in the current environment, it is incumbent on people and organizations to protect themselves.

Most people do not realize cybercriminals benefit from an entire underground economy hosted on the dark web. The dark web is not a place but is essentially a secretive network. Think of it as the dark side of the internet. Just like the regular internet, the dark web is a collection of websites. Unlike the internet, these websites are not indexed by most search engines and require a special browser known as The Onion Router (TOR). The TOR browser is designed to make internet traffic anonymous, which is a key element for criminals in cyberspace to remain hidden. Most destinations on the dark web are not accessible to anyone who is browsing like they are on the traditional internet. The dark web is more akin to a collection of forums that have moderators and require invitations to gain access. The best example in the physical world is to think of the dark web as a network of speakeasies. Each has its own password and verifies the identities and intentions of its attendees, but once a person is accepted into a few and becomes a known entity in the underworld, they would have an easier time gaining access to other establishments.

The dark web itself serves two major purposes for cybercriminals. First, it provides access to marketplaces where stolen information can be bought and sold. Criminals may hack into a database such as Yahoo, for example, and steal millions of email addresses and passwords. The attacker may have no use for that information, so they can go to the dark web and offer it for sale. Other criminals can buy the information and use it for different purposes, such as launching a campaign against the list of email addresses to fool the user into clicking on a link or delivering a virus. Alternatively, attackers could use the email address and password combinations in popular sites to see whether the victim reuses their password so they can gain access to high-value sites to steal something of value. This underground economy provides an efficient marketplace where those who have the skills to steal data can profit from their work.

Second, the dark web offers marketplaces for criminals to purchase exploit kits containing phishing lures and malicious software or contract with other criminals for expertise they may not have. For example, if you wanted to deliver a ransomware attack, you could purchase the ransomware itself from one group, complete with documentation, instructions, and even technical support, and purchase a sophisticated phishing lure from another criminal and a list of potential victims from a third. TOR networks and botnets can be used to launch attacks to make their origins more difficult to trace. In fact, all you need to launch a relatively sophisticated and low-risk cyber-attack in the modern world is access to the dark web, a Bitcoin wallet, and a questionable moral compass.

Bitcoin and other cryptocurrencies make cybercrime more profitable and less dangerous. Whether you like or dislike cryptocurrency, there is little debate that its existence and the corresponding rise in the scale and profitability of cybercrime is no coincidence. Bitcoin is the most popular cryptocurrency. Cryptocurrencies operate on a technology known as blockchain. Blockchain is a distributed transaction ledger that allows the anonymous transfer of stored value between parties. For example, if you were to hold someone for ransom and asked them to pay you in United States dollars, somewhere there would be a record of that transaction, and with enough effort, the owner of the account, the kidnapper, would be identified. When ransoms are paid in Bitcoin, it is impossible to trace who the actual recipient of the money is or how they spent the money they received.

These factors lower the barriers to entry for cybercriminals to get into a profitable business. Never in human history has crime had higher rewards with lower risk. In fact, in some places throughout the world, there is a technically skilled population whose best economic prospects are to become criminals.

There is also a significant imbalance between the proceeds of cybercrime and the cost of cybercrime, which means the attackers are more motivated than the defenders. For every dollar cybercrime costs an economy, it generates $3 for the attacker. It stands to reason those attacks would continue to proliferate until balance is reached. If I could purchase something from you for $1 and sell it for $3, I would make as many purchases from you as I could. The equation for cybercrime is similar. While these macro-economic forces are unlikely to change in the short term, there are measures we can take to increase the costs and risks of cybercrime to make these attacks less appealing to criminals. Currently, it is far too easy for attackers to infect systems. People and organizations fail to follow simple best practices that make it significantly more difficult for attackers to be successful. Those best practices are explained in detail in Chapter 4, Protecting People, Information, and Systems with Timeless Best Practices.

Many people ask why cybercrime is growing and attacks are increasing in terms of scale, complexity, and frequency. The simple answer is that cybercrime is good business. If a person does not take moral issue with cybercrime, the economic opportunity is attractive, and the risk is lower than other criminal opportunities. In fact, economically speaking, cybercrime is the most lucrative profession available to many people around the world. However, there is another side to the equation. While criminals can benefit from crime, the damage to individual victims and economies is serious.

The macro-economic cost of cybercrime

The impacts of cybercrime on the global economy are significant. The impact of ransomware on infrastructure has been highlighted by the 2021 Colonial Pipeline ransomware attack, which is detailed in Chapter 3, Anatomy of an Attack. Colonial Pipeline supplied gasoline for large portions of the United States. With the pipeline offline, several states experienced gas shortages and gas prices rose significantly. The Equifax breach involved the personal information of millions of people, which contributes to the ongoing identity theft problem in industrialized nations. The American Semiconductor case, which began in 2011 and did not reach resolution until 2019, involved an existential threat to an American company that barely survived as a shell of its former self.

Each of these instances highlights the importance of cybersecurity in the modern world. Every organization, and even every person, has an interest and a responsibility in protecting their sensitive information.

While there are many direct and ancillary economic impacts of cybercrime, here are three major categories we should highlight. First, there is a global cost to identity theft. The implications for economies are significant, but behind the numbers are thousands of stories of individuals and families who have been hurt. Second, intellectual property forms the bedrock of Western economies. It could be said that all industrialized nations depend on intellectual property for prosperity; Western economies rely on personal property rights to power the economy. Finally, it is easy to lose sight of the damage done to individual companies and the employees who rely on them for their livelihood. When we look at the three major impacts of cybercrime, it is clear the damages can be devastating.

The global cost of identity theft

Identity theft has become a major problem globally. This problem impacts not only individuals but also entire economies. Personally Identifiable Information (PII) is information about an individual that can identify them from others and also could be used to impersonate them. National identifiers such as social security numbers, social insurance numbers, or other government-issued identifiers are commonly associated with PII, but other factors, such as names, phone numbers, and addresses, in combination can also be damaging. There is a well-established marketplace to buy stolen personal information on the dark web.

According to a CNBC article, "identity fraud cost Americans a total of about $56 billion" (Leonhardt, 2021) in 2020. Children are often victims and identity fraud costs generally fall directly on the consumer. As a result, a group of identity protection providers has emerged to help customers protect their identity, and if it is stolen, to pay legal fees to repair the damage. When companies lose large amounts of PII, the remedy is often to provide identity protection services for the impacted consumers.

Simply restoring an identity is not enough though. Many Western economies are consumer-driven, and if consumers are losing money to identity theft, they are not spending that money elsewhere in the economy. Therefore, the money lost to identity theft can be seen as economic leakage, causing downstream harm to businesses and individuals that are not victims of identity theft. In the United States, more than 1 in 100 people were victims of identity theft in 2020. The data privacy regulations discussed later in this chapter are the direct response from governments to this growing problem.

Intellectual property and Western economies

Most industrialized nations are built on the idea of personal property rights. Many times, those rights are dependent on the protection of intellectual property rights. It could be said, then, that the foundation of the global economy, with notable exceptions such as China, is the exclusivity of information and the ability for a person or a company to benefit economically from their ideas and discoveries. Theft of intellectual property threatens that foundation and if it cannot be protected, makes it less likely companies will invest in creating new inventions, and therefore the economy will not grow as quickly as it otherwise could.

To prevent this from happening, Western economies have developed intellectual property protections that encourage discovery and offer exclusive rights for a set period of time for the person or entity that made the discovery or created the work. Intellectual property comes in many forms, with varying time limits as well as degrees of protection. In some cases, an organization could protect intellectual property in different ways. For example, a secret recipe could be protected by a patent, which would give it strong legal protections for a set period of time, after which it would go into the public domain, and anyone could see the recipe and use it for themselves. Alternatively, the company could choose to classify it as a trade secret, which has limited legal protection but no requirement for disclosure. As a result, most companies who make recipes, outside the pharmaceutical industry, use trade secrets. However, using trade secrets requires a higher level of protection to keep it a secret. Protecting intellectual property appropriately requires an understanding of the property type and the legal protections offered. Let's have a look at them.

Copyrights

Copyrights are designed to protect works such as books, movies, and music. In the United States, a copyright must be registered with the Library of Congress for legal action to be taken, but copyright is granted as soon as a work is fixed in a tangible form, meaning committed to a hard drive, a piece of paper, or otherwise taken from an idea stage to a stage where it exists in the physical world.

Copyright grants five exclusive rights to an owner, which can then be licensed to others for the owner to earn income from their idea. Those five rights are the right to reproduce the work, publish the work, perform the work, display the work, or make derivatives from the work. Copyrights are normally long lasting, designed to last more than the lifetime of the person who created the work, but eventually, works do go into the public domain where others can use the work without paying the owner. Since copyrights are designed to protect the rights of the owner of a public work, there are few information security implications for protecting copyrights.

Patents

Patents are designed to give the owner an exclusive right to an invention for a relatively short period of time. After that time, the invention goes into the public domain and anyone can use it. The easiest example to understand is with medication. To incentivize pharmaceutical companies to invest capital in researching treatments and drugs, they are granted a period of time, generally between 10 and 20 years, where they are the only company that can sell that treatment or drug, and, within reason, they can charge whatever price they would like for it. When that time expires, other companies can access the formula and produce generic versions of the drug. When the patent for Tylenol expired, for example, anyone could use the formula to make generic acetaminophen, which is the same chemical formula as Tylenol; they just couldn't call it Tylenol because the brand name was protected by a trademark.

In the United States, patents must be filed with the United States Patent and Trademark Office, which is a lengthy process. There is a period of time between when something is being discovered and tested and when it is filed for patent protection, and during that time, that idea or invention is very sensitive and should be protected. Most countries around the world that offer patent protection have a similar patent office that allows inventors to register their inventions and apply for patent protection. Also, most countries that recognize patents will also enforce patents originating in other countries to encourage trade.

Trade secrets

Trade secrets offer limited legal protection but have the advantage of never going into the public domain. In the beginning, trade secrets were protected only to the extent that the organization could keep them a secret. In 2016, the Defend Trade Secrets Act was passed in the United States, which provided a forum for victims of trade secret theft to bring lawsuits against those who have stolen or otherwise misappropriated their trade secrets if the secrets were intended to be used in interstate or international commerce. In the Act, a trade secret is defined as "all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing." (American Bar Association, 2016). There is a major caveat though, in the fact that the victim must prove they took reasonable measures to keep the information secret.

Therefore, if a company is a victim of trade secret theft and would like to bring a case, they must show what security measures they had in place to defend the secret. As a result, protecting trade secrets has become one of the most important parts of an information security program with respect to intellectual property protection. Since this is a young law, there is little precedent with respect to what qualifies as a reasonable measure. The most high-profile case so far concerns Uber and Waymo.

Example Case: Uber versus Waymo

In January 2016, a Google engineer named Anthony Levandowski left Google's self-driving car division, known as Waymo, to start his own self-driving truck business, named Otto. In August of the same year, Otto was acquired by Uber. Shortly thereafter, Waymo filed a lawsuit against Uber for trade secret theft. In 2018, 5 days into the lawsuit's trial phase, a surprise settlement was reached for approximately $250 million in Uber stock. Mr. Levandowski was eventually forced to declare bankruptcy and was sentenced to 18 months in prison for trade secret theft.

The story is not as simple as an employee leaving for another firm and taking information with him. It appears that the hiring of Mr. Levandowski was planned by then Uber CEO Travis Kalanick. "'I wanted to hire Anthony [Levandowski], and he wanted to start a company,' Kalanick said on Tuesday. 'So, I tried to come up with a situation where he could feel like he started a company, and I could feel like I hired him.'"(Larson, 2018). The question then became, was Uber part of Mr. Levandowski's plot to steal trade secrets from Waymo? Did Travis Kalanick have advanced knowledge of the theft? The case was among the highest-profile trade secret theft cases in history.

This is a classic insider threat case. Anthony Levandowski was a very talented and well-respected engineer. He was trusted by his friends and colleagues at Google, who he ultimately betrayed. When he was hired, it is unlikely he intended to cause harm to Google. At some point, his motivation changed and he became a malicious insider. The civil lawsuit between Waymo and Uber was settled, and the criminal case against Mr. Levandowski ended in a plea agreement, so we may never know exactly how Google knew he stole documents on his way out. According to an article about the case published on The Verge's website, "Levandowski stole 14,000 documents from Google containing proprietary information about its self-driving cars and downloaded them on to his personal laptop." (Hawkins, 2019). While the article doesn't explicitly state what evidence Google had to support its claim, the fact they knew the number of documents and the method of exfiltration tells us two important things. First, they had a system in place to monitor transfers from a repository where sensitive information was hosted, likely in the cloud, and second, they had their system configured to identify the difference between sensitive information and commodity information. In short, Google had an effective information protection program. If they didn't, Uber would likely be using the information to gain a competitive advantage over Google, and Mr. Levandowski would be a very rich, free man.

Defending trade secrets is difficult, but it is important. Many organizations dedicate significant capital to research and development. If the output of that research is not properly protected, an organization can fail to realize the full value of their discoveries. While Google had to spend money to defend their trade secrets in court, ultimately, they were successful in gaining both financial and injunctive relief and are free to compete in the marketplace without a primary competitor having the ability to compete against them unfairly. Now that you are aware of how trade secrets function, let's move on to trademarks.

Trademarks

Trademarks are a type of intellectual property designed to allow the provider of a good or service to distinguish that good or service from others. The intention of a trademark is to avoid customer confusion. The protection prevents someone from creating a product to compete with a well-known brand and making the name of the product and the look of the packaging so similar that the customer cannot tell the difference. Trademarks are designed to be as widely publicized as possible, so there is little need for an information security program to focus on protecting them.

Now that you have had a brief introduction to intellectual property, we should move on to the impact of cybercrime. Throughout the book, there are example cases that are designed to highlight specific concepts related to the topics we are covering. It is easy to look into the details of a case and forget about the real people behind the cases.

Micro-level impacts and responses to cybercrime

In addition to the macro-economic implications, the stories behind the headlines involve real companies and real people who are being hurt. We will examine some select high-profile example cases throughout the book to discover what happened, how similar attacks could be prevented, and just how damaging the attack was for those involved. It should be noted that many of these cases have been studied enough where root causes have been identified. While there are lessons to glean from others, I caution you against simply trying to build detection and prevention mechanisms for these specific attacks. Many security systems have tried such approaches in the past, with poor results. Trying to guess how an attacker will attack you and building an alarm to identify that specific attack pattern is ineffective. It is far more effective to identify what should happen inside your environment and build systems and processes to detect and respond to anomalies.

Each of the cases is an example of the devastating impacts of cybercrime for someone. As you read the cases, please try not to focus only on what happened technically and how these types of incidents can be prevented tactically; try to also consider the impact of the incident on the victim, the company, and the attacker. In some cases, the case seems to end well for the attacker. In many cases, it does not.

The impacts of cybercrime can be devastating, but the benefit to the attacker still outweighs the cost to individual companies. In many cases, the macro-economic damage far outweighs the direct cost to the company that failed to protect information, especially when dealing with PII. As a result, governments have introduced regulations in an effort to compel companies to protect information that has been entrusted to them.

The role of governments and regulation

In response to escalating costs associated with personal data theft and the identity theft that follows, governments and industries around the world have passed regulations to compel companies to take their security programs seriously. While meaning well in their intentions, new regulations have led to a disjointed patchwork of requirements global organizations must comply with, which can be counterproductive. However, regulations will need to balance the equation between the costs of cybercrime and the benefits to attackers if they hope to stem the tide of cyber-attacks and the growing impact cybercrime is having on the global economy.

Industry regulation

Historically, information protection regulations were created on a per-industry basis. For example, in 2004, the world's largest credit card companies' council, known as the Payment Card Industry (PCI) Council, released the first Payment Card Industry Data Security Standard (PCI-DSS). This guidance was applicable to anyone who sought to store, process, or transmit payment card data and set certain requirements based on the number of transactions a company was involved in during a given year. In 1996, the United States passed the Health Insurance Portability and Accountability Act (HIPAA), which included privacy regulations for health-related data.

Industry regulations are often prescriptive and specific when defining what types of information should be protected and how. For example, PCI-DSS has 6 control objectives that organize 12 specific requirements for anyone storing, processing, or transmitting credit card information. Because the scope of data to be protected is so narrow, giving specific guidance to companies is feasible.

As time has passed, additional industry-specific regulations have given way to broader data privacy regulations passed by governments who were interested in curbing the economic effect of identity theft. Additionally, many of the regulations are designed to establish the rights of people to exert control over data used to identify them and define the responsibilities of the organizations that collect their data.

The growing need for data privacy regulation

The invention of computers and digital storage changed the nature of data collection and control over information. The digital age has made copying data and sharing it with others easier than ever before. As technology changed and outsourcing specific functions became more prevalent, individuals lost control over who had access to information that could cause them harm. There were a few rules related to how data could be handled and who it could be shared with. Furthermore, there was little transparency when a person provided their information about how it would be used and who it would be used by. Over the years, countless data breaches caused harm to individuals. In many cases, the organization that was breached had information belonging to individuals who had never provided their information directly. In response, governments began to pass regulations designed to establish data subject rights and severe penalties for those who violate them. The European Union's General Data Privacy Regulation (GDPR) has been the most impactful and well-known data privacy regulation.

GDPR

In 2016, the European Union sought to broaden regulations related to personal data and passed GDPR, which went into effect in 2018.

GDPR is made up of 11 chapters and 99 articles. It covers a wide variety of topics and seeks to establish data privacy as a basic right for European citizens and to give control to data subjects over how their data is used and processed. The 99 articles and 11 chapters of GDPR are detailed on the following website: https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en.

Originally, much of the conversation about GDPR was about the harsh penalties that are laid out in the legislation. Companies can be fined up to 4% of their global revenue for violations of GDPR. However, the supervisory authorities have been mostly collaborative with companies who are trying to comply and protect data subjects' personal data and associated rights. Willful negligence or a failure to exercise due care with personal data can be punished severely.

Parts of GDPR are groundbreaking and have forced companies to adopt new best practices. For example, GDPR sets limits on how long data can be retained and forces companies to map how personal data flows throughout their organizations. Both are best practices for all types of sensitive data, but prior to GDPR, few companies understood their data well enough to comply with these provisions.

Unlike PCI-DSS, GDPR must cover a broad spectrum of companies and data types, so the requirements are far less specific. Also, the regulation was written to establish rights and responsibilities, so as technology changes, the methods of protecting information can change without amending the legislation.

Example Case: British Airways

British Airways suffered a data breach in 2018 that affected 400,000 customers. The Information Commissioner's Office (ICO) is the GDPR supervisory authority in Great Britain and therefore is assigned to British Airways. After the breach was made known, the ICO investigated the factors that led up to the breach of sensitive information. The ICO determined British Airways had security weaknesses in systems processing personal information that they knew about and failed to address. In addition, the ICO determined that more people were affected than necessary based on British Airways' failure to discover and remediate the issue in a timely manner. After the investigation, the ICO said, "Their [British Airways'] failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That's why we have issued BA with a £20m fine – our biggest to date." (Page, 2020)

The source of the breach was a known vulnerability in a third-party piece of JavaScript known as Modernizr, which British Airways used as part of its payment processing site. A hacking group was able to exploit the vulnerability to redirect personal and payment information to a website they owned, which caused criminals to gain access to crucial customer information. In many cases, companies claim they are the victim of an advanced attack when a breach occurs, but that was clearly not the case in this instance. According to a Wired article, "The vulnerability in Modernizr is a well-known one, and BA had not updated it since 2012 – long after problems were known to exist." (Stokel-Walker, 2019). Even after the breach, the ICO found British Airways had failed to take adequate steps to secure their website.

The fine was significant because it was determined that British Airways was not only a victim of a cyber-attack, but they also failed to exercise due care to protect customer information, and as a result, consumers were harmed. This was the exact situation GDPR was developed to address. The legislation provides a method for supervisory authorities to compel companies to take the protection of PII seriously.

While the fine was record-breaking, it was reduced after an appeal by British Airways citing the COVID-19 pandemic and the damage it caused to their business. The original recommended fine was £183 million. Part of the reason for the reduction between the proposed amount and the settlement amount was in recognition of the improvements that British Airways made to prevent similar events from happening in the future.

For many years, organizations have ignored security best practices and put individuals' information at risk. Because of the pace of cyber-attacks, the brand damage is often short lived, and the cost of securing information could outweigh the benefits. The implementation and enforcement of GDPR has ensured securing personal information belonging to consumers is good business and not securing information appropriately carries severe consequences.

While GDPR is the best-known privacy regulation, there are several others around the world with similar goals that are also enforced. One of the challenges for multinational enterprises is keeping up with all the global regulations they are subject to and the changes to each.

Next, we will look at a law older than GDPR that is being updated to place a greater emphasis on individual rights to data.

Act on the Protection of Personal Information (APPI)

The next consequential legislation, Japan's Act on the Protection of Personal Information (APPI), predates GDPR. However, since the passage of GDPR, APPI has been updated to establish the rights of data subjects and the responsibilities of companies to protect personal information.

Japan's APPI predates GDPR and was originally passed on May 30, 2003. It has been amended several times, but the most recent amendment, passed in 2020, comes into effect in April 2022. The International Association of Privacy Professionals (IAPP) often writes about changes to international privacy regulations. You can find an article on the recent changes to APPI at the following link: https://iapp.org/news/a/japan-enacts-the-act-on-the-protection-of-personal-information/.

There is commonality between the objectives of APPI and the objectives of GDPR, but the rules are different. As a result, companies operating in Europe and Japan must build their security programs to meet the requirements of both jurisdictions.

California Consumer Privacy Act (CCPA)

It is difficult to operate globally and comply with different regulations between countries and regions. However, in the United States, the situation is much worse. In the absence of national data privacy regulations, many states have begun passing their own patchwork regulations. The most comprehensive and well-known is the California Consumer Privacy Act (CCPA), but there are separate pieces of legislation across many states that further complicate compliance efforts. CCPA was largely based on GDPR. However, it has fewer articles and has expanded the definition of personal information to include information that can be used in machine learning datasets. There is a good summary of CCPA provided by Thomson Reuters Westlaw at the following link: https://govt.westlaw.com/calregs/Browse/Home/California/CaliforniaCodeofRegulations?guid=IEB210D8CA2114665A08AF8443F0245AD&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default).

When studying regulations around the world, some common themes emerge:

There are many companies, such as advertising companies that curate lists and social media companies that trade free services for information about individuals that they can profit from, that are under direct attack through this type of legislation.

There are several other privacy regulations passed by individual countries, such as PIPEDA in Canada and Australia's Privacy Act. Most new regulations deal with personal information and many of the objectives are similar. However, the responsibilities a company has under each law can be contradictory. Multinational enterprises struggle with a regulatory tapestry that grows in complexity with each passing year.

There is no doubt that identity theft is a major problem globally. However, the patchwork of regulations around the world makes it difficult for short-staffed security teams to comply with the regulations. Furthermore, security begins where compliance ends, and if security teams are spending all their time on compliance initiatives, there is little time remaining for those teams to focus on their primary mission.

While data privacy regulations are growing in popularity, data sovereignty regulations also exist. The primary difference between data privacy and data sovereignty is that data privacy is designed to control who can access information, whereas data sovereignty primarily regulates international data transfers.

Data sovereignty regulations

Many regulations are designed to control the flow of data between countries. In most cases, data can be transferred under certain circumstances. The stated purpose is to ensure private data is not transferred to countries where the government can infringe upon privacy rights. Countries such as China and the United States, where the government has the power to compel companies to share information about individuals without their consent, are often primary targets of data sovereignty rules. There are differing opinions about the right to privacy among countries around the world. As a result, many countries seek to limit the flow of information across borders. However, these regulations often create complexity in the modern world. Information does not respect terrestrial borders, and cloud services are designed to optimize performance, not to operate in specific jurisdictions. As a result, the unintended consequence is to make it more difficult for companies headquartered in countries with restrictive data sovereignty rules to be competitive globally. Few new regulations include data sovereignty elements, but many restrictive data sovereignty rules still exist.

Another area where governments have regulated business affairs that relates to information security is the idea of workers' councils. Workers' councils are designed to represent the interest of employees and balance power between labor and companies. While these councils serve many functions, among them is reviewing a company's plans for employee monitoring and electronic surveillance.

Workers' councils

In several countries, such as Germany, Switzerland, and the Netherlands, workers are granted rights and representation that allow them input into how employees are monitored in the workplace. These workers' councils often hold significant power and must be consulted before a company can implement security controls that monitor employee communications and behavior. The rules and objectives differ between jurisdictions, but the councils are in place to prevent employers from using electronic surveillance in an oppressive manner.