Infosec: More than reindeer games

Dear Santa,

As CEO of XMAS Inc., the leading manufacturing and shipping enterprise, you face extraordinary pressure to deliver joy on Christmas morning to billions of kids around the world. In fact, it’s hard to think of any other top business leader who is responsible for so many children’s dreams each year—and whose executive compensation package consists entirely of cookies and milk. With only a single workshop located in a hostile climate, a limited number of legacy employees, one used vehicle, no financing and an extraordinary supply of sugar you’ve been able to accomplish more than what any of your competitors—all with far greater resources—will achieve over the course of their entire careers.

But Santa, regardless of your unimpeachable track record, the news headlines we all hear—the ones about Sony, Staples, Target or the Home Depot compromise—are, sadly, all too real and devastating. These attacks demonstrate that believing in Christmas magic, sugar plum fairies or laying your finger aside of your nose are no longer an effective security strategy. You, of all people, know better than many corporate leaders, that the cyber naughty list is growing longer each year.

Gone are the days of elves tinkering on a simple factory line. Good boys and girls are placing new demands on XMAS Inc. unlike any you’ve every experienced. Your workshop has rapidly expanded its technical capabilities so you can assemble the laptops, tablets and smartphones that are now on every digital native’s wish list. Not to mention the complex IT infrastructure your elf engineering team has developed to deploy solutions like data analytics for toy management, reindeer optimization and elf efficiencies.

Chances are some aspects of XMAS Inc.’s IT setup make you feel bah humbug. Maybe it’s the fact your most valuable intellectual property—your naughty-nice database—is maintained on a server from Christmas past? Perhaps it’s the elves practice of sharing their passwords? Or your firewall might more concerned about being nice rather than keeping the naughty out? How about the outdated antivirus on Mrs. Claus’ laptop? Maybe because everyone in the North Pole is so busy believing in holiday magic, that the idea of a cyber threat stealing Christmas doesn’t seem possible?

Yes, Santa, there is an enormous world of digital crime. It exists as surely as fraud, greed and cyber darkness exist, and you know that means that as a business executive—the creator of Christmas magic— you are responsible for understanding the scope of threat against your entire enterprise.

After checking your network twice, my advice is this: You better watch out. Cyber criminals are sly. They will lie and ruin Christmas for all the good boys and girls.

To help you get the jolliest good from my assessment, let’s examine the two biggest threats targeting XMAS Inc.

We begin with The Grinch. This green dude has over 50 years of experience with holiday theft. Working in cahoots with an organized gang of canine prosthetic antler enthusiasts, together they’ve created a massive botnet. Having become increasingly prone to episodes of rapid cardiac palpitations if he sees humanoids being nice, the Grinch has, for health reasons, moved his criminal operations away from old school looting and burglary to conducting phishing attacks.

Let’s look at Figure 1—the Grinch has already infiltrated your Workshop Server because Mrs. Claus fell for one of his sneaky tricks. She clicked on a malicious link thinking it was an email order confirmation for that new diet cookbook she purchased from a major online retailer. But really, it’s the Grinch trying to steal Christmas!

After her laptop became infected, Mrs. Claus unknowingly transferred that malware to your personal computer by emailing you an infected attachment. Then, the Grinch routed himself using your VPN, crossed over XMAS Inc’s corporate firewall, and traveled directly into the Workshop Server! He’s been laughing all the way.

Why does this matter? You might be thinking—how much damage will the Grinch cause by infecting my Workshop Server? I mean we both know he’s on the naughty list, right?

Right. And by infiltrating XMAS Inc.’s network the Grinch knows when your system configurations are missing; he knows if your security gaps are patched; and he knows exactly the amount your elves are spending on buying eggnog for their break room instead of upgrading your Intrusion Detection System. Not to mention your reindeer believe “Rudolph123” is a strong password, and they’ve been sharing their Sleigh Scheduling login credentials over unencrypted emails.

As a result of your weak security policies, the Grinch has gained complete control over XMAS Inc.’s logistics software. He’s scheduled your sleigh to leave all the toys destined for good boys and girls at his various mountain caves instead!

It gets worse Santa. Meet the Abominable Snowman.

The Abominable Snowman hates everything XMAS Inc. represents, not to mention a species of reindeer with a light-emitting diode for a nose, of which you own and promote, is known to send him into a cyber rage. Sadly I see evidence, based on naughty traffic flows, showing his long pointed fangs are already deep in your network.

Don’t let this scrooge of a yeti deceive you. Although this creature is covered in white fur—he wears a black hat. And he’s stealing children’s personally identifiable information (PII), holiday behavior information (HBI) and your trade secrets right out of the workshop’s List Database!

The Abominable Snowman is taking advantage of flaws in your security to damage XMAS Inc.’s reputation and ruin the Christmas spirit. How will he do this? By distributing your naughty list across the Internet in order to embarrass kids around the world.

Let’s look at the Abominable Snowman’s game in Figure 2.

Nice and Naughty doesn’t just categorize children’s behavior; it describes data behavior too.

XMAS Inc.’s network security policy should only grant access to the List Database to those elves who require children’s records for their work. We can see the departments on the left side of this figure, like Toy Tracking and Sleigh Scheduling, who need to know whether children have been very good, are sending queries to the List Database during workshop hours. That’s nice.

Here’s your problem, Santa. In the middle of the night, when we’re nestled all snug in our beds, you can see serious data exfiltration from your List Database leaking into the Reindeer Barn. You said “Well that just can’t be? We have a couple elves supporting security IT.” And so with a wink of an eye and a twist of the head, you thought you had nothing to dread.

But there’s something you didn’t see. The Abominable Snowman has been downloading kid’s data as fast as it came for months at a time. All he had to do was hack your network and install wiper malware in the Reindeer Barn. And this type of malware makes for a system compromise far worse than finding large lump of coal on Christmas morning—what a shame.

Santa, please allow me to give you some Christmas security advice.

We depend on you to deliver holiday cheer year after year. IT security is no longer a Christmas wish XMAS Inc. can miss. The realities of Christmas Present include a cyber Grinch, Black Hat Yeti Snowmen and more—this means your business will likely suffer another breach.

My letter is not another joyous holiday story. You no longer live in a North Pole filled with happy endings of candy canes, gumdrops and prancing little hooves. You must remember Santa—as a corporate executive, savvy business leader and grantor of children’s dreams—you are not helpless against these threats. It’s time to incorporate cyber attack prevention, detection and response in what you practice AND preach all year long. Because securing technology is a responsibility for each of us, no matter whether we’re big or small.

Merry Christmas!
Chase

P.S. I’ve been very good this year.