Sunday, December 28, 2008

Cyber Security Debacle- Update on World Bank 'Unprecedented Crisis'

It’s been months of stonewalling and denials during a series of reports covering a variety of in-house World Bank scandals including (i) targeted cyber security attacks breaching their most sensitive financial data and (ii) corruption issues with sanctions against at least one supplier determined guilty of wrongdoing. The latest twist, a leading India-based information technology vendor, Satyam Computer Services was barred in February from all business with the bank for a period of eight years — the ban started in September.

Some highlights:

The World Bank provides financial and technical assistance to developing countries, governed by a board of 180+ member nations, with the mission “Working for a World Free of Poverty.”

  • "From 2003 through 2008, as FOX News reported, the World Bank paid Satyam hundreds of millions of dollars to write and maintain all the software used by the bank throughout its global information network, including its back-office operations. The engagement scope involved overseeing data that ranged from accounting and personnel records to trust funds administered for many of the world's richest nations."

  • "Satyam was straying badly across the bank's ethical warning lines. In 2005, the bank's chief information officer, Mohamed Muhsin, was ousted after being accused of improperly buying preferential stock options from Satyam, even as he awarded the firm major contracts. A top-secret investigation led to Muhsin being banned permanently from the bank in January 2007. But for reasons that remain unclear, Satyam was allowed to remain in control of the bank's information network until early October 2008"

  • According to reporting in October, World Bank employees were ordered to change their passwords three times over a three month period as a response to the attacks, which spanned somewhere between 18 and 40 servers in multiple hacks. According to the report, there were six major break-ins in the past year, and that at least five servers containing sensitive data were exposed. FoxNews obtained apparent internal e-mail messages regarding the attacks characterizing a complicated series of events and the agency’s response to them.

  • “In a frantic midnight July 22nd e-mail, e-mail to colleagues, the bank's senior technology manager Rakesh Asthana, referred to the situation as an "unprecedented crisis” and that "the passwords that have been compromised may have accessed data." An e-mail from July 10 explains that a minimum of 18 servers may have been compromised and that five of them contained sensitive data. Yet an Aug. 19 memo from the bank's CIO, Guy-Pierre De Poerck, downplays the severity of the situation. The staff memo says that controls on external Web sites have been tightened, that passwords have been reset, and that RSA SecurID tokens have been deployed for Web mail access. It concludes that "there is no evidence that bank staff personal information is at risk from the recent external attempts."
    Editorial note: Guy-Pierre De Poerck no longer works at World Bank.

  • “It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution's highly-restricted treasury unit were deeply penetrated with spy software in April. Invaders also had full access to the rest of the bank's network for nearly a month in June and July. In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007.

  • “It may be the worst security breach ever at a global financial institution. And it has left bank officials scrambling to try to understand the nature of the year-long cyber-assault, while also trying to keep the news from leaking to the public."

  • Video Interview: World Bank Hack - FOXNews 10/10/2008

Some thoughts:

While this isn't your typical bank, banking and the financial sector as a whole is known to generally have much better cyber security than most sectors. It’s alarming that this situation drug out for so long after surfacing internally.

Besides the alleged repeated CIO-level inside dealing by a gorilla-scale outsourcer, a more fundamental issue was the abdication by management in addressing information security risks. Having CIOs released from employment and named security leadership temporarily in charge will help. Perhaps large gaps in fundamental information security controls are now finally being addressed. Certainly a lack of programmatic incident handling preparations contributed to the problems before Fox News broke the story.

Before saying “It can’t happen here.”

How well is your incident handling program developed? What happens to you and your organization if or when breached by targeted attacks? What about your increasing exposure with outsourcing and how risk is being managed? How about robust enclaves for your critical systems? Do you really have defense in depth with graded, inside-out protective measures? Are there definitive, complimentary, and auditable MOT controls, i.e., managerial, operational, and technical, in place for your more critical settings that clearly provide and support defense in depth capabilities, i.e., deny, detect, deter, recover? Who is watching the watchers? How is management being kept abreast of status? Are there regular, transparent reviews involving key internal stakeholders? Are there improvement planning cycles involving decision makers and are the plans being completed and results objectively reviewed?

- Think could only happen in the financial sector?

What if emergent problems persisted and pulled you and your information security team deeper into the mix after repeated missteps? How do you ensure that your response is viewed as part of the solution and not increasingly part of the problem? What if your organizational leadership "duck and covers" when pressed by providing a shifting story while investigative reporting eagerly pry out pieces of the truth and report it all?

- Are you just another easy mark?

Just how developed is your incident handling policy and procedures with senior management support to help address when escalating cyber security problems really hit the fan?

- Still comfortable?

- World Bank Besieged By Hackers, Or Not, Information Week, 10/10/2008
- World Bank Removes Chief Information Officer,, 11/27/2008
- World Bank Admits Top Tech Vendor Debarred for 8 Years,, 12/24/2008

Sunday, December 7, 2008

Clock is Ticking for First Round of Pending Changes to NERC CIP Standards
- Comments due Jan 5th

Driven by Cyber Standards Final Rule - FERC Order 706, the first revision to NERC CIPs addressing cyber security requirements for bulk electric operations is out for review and comments by Jan 5th, 2009. This round of changes include removal of significant amount of wiggle room based on "business judgement", includes explicit senior management approval of risk methodology (not just critical assets lists), background checking must be completed before permitting access (not in parallel), and tightens up timeframe requirement for addressing security issues among other changes.
  • "Emphasis on Order 706 directive for NERC to address revisions to the CIP standards considering applicable feature of the NIST Security Risk Management Framework among other resources. "
  • While this process with NERC CIPs may seem difficult, at least there is the benefit of continuity. Congressional testimony last year and this year raised serious questions about NERC's ability to be an effective ERO for FERC - NERC Aurora handling and arguably misleading testimony creating much of this pain, NERC still not out of the woodshed. Last year testimony also suggested getting rid of CIPs and starting fresh based more on NIST standards as recommended by Mr. Joe Weiss (jump to 2:12:50 for his opening comments in video):
    - “The Cyber Threat to Control Systems: Stronger Regulations are Necessary to Secure the Electric Grid.” - Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Oct 17th, 2007 (video/submittals)
Better buckle up, this is just the first round of Order 706 driven changes.
  • "The SDT met on October 6–8, 2008 and because of the extensive scope and varying complexity of the issues and work in these revisions, the team decided on a multiphase approach for revising this set of standards. This posting of the cyber standards for industry comment only relates to Phase I of the project. "
- Cyber Security (Project 2008-06 Site) - The Cyber Security SDT posted its first draft of revised Cyber Security standards (CIP-002-1-CIP-009-1) for a 45-day public comment period starting November 21, 2008 and ending on January 5, 2009. Both clean and redline versions (zip files) are available for download and review.
- Revised NERC CIP standards out for 45 day comment period, Digital Bond 11/24/2008
- Cyber Standards Final Rule - FERC Order 706, NERC Workshop Presentation (informative 72 slides), 5/13/2008
- Drafted Changes Summary, NERC Comment Form