ISSA Conference at UCLA: Five Stages of Web Security Grief

Announcements
1

Visiting an Information Systems Security Association  (ISSA) conference yesterday was a little bit like visiting a foreign country. I only understood a portion of the highly technical cyberthreat jargon being discussed but what I did understand was a bit frightening. Keynote speaker Jeremiah Grossman even said his presentation would take us through the 5 stages of “web security grief”: denial, anger, bargaining, depression and acceptance.  It might be experienced by a computer user as (my version):

 

Denial: I’m safe, I have anti-virus on my computer.  And I’m pretty careful online.

 

Anger: I can’t believe it’s gotten so bad. It seems like many of my social network friends have been hacked and I just got a pop-up fake anti-virus on my computer. I think someone is using my credit card! Somebody should do something!!

 

Bargaining: I’ll increase my security to a full suite, I’ll change my passwords, and I’ll stop using peer-to-peer file sharing.  I’ll even update my operating system, browser and programs to the latest versions. That should work, right?

 

Depression: But I’m so careful what I click on and I never open attachments. Maybe I should stop shopping online?  I don’t even feel comfortable using public WiFi anymore. Life was so much better in the old days.

 

Acceptance: The benefits of online life are worth the risks. I’ll do everything I can to secure my computer, my devices and my data and I’ll minimize what a crook could get but after that, you just have to deal with it.

 

To read more of Jeremiah’s writing, here’s a link to his blog.

 

There was a panel session geared for “the executives” that I found particular valuable. On the panel were a small business cybercrime victim, a banker, a cybercrime investigator and a white hat hacker. The victim in particular was eloquent at describing how frustrating both the crime was to her and the lack of response from her first bank and law enforcement. Hearing directly from a victim what happened can be more educational than any theoretical article, simply because we would otherwise say (if we’re in Denial) “it won’t happen to me.”

 

The victim had experienced two cybercrimes, one in 2006 and another several years later. She could not pinpoint with 100% accuracy the source of each infection but her best guess was that in the first case, an employee in her department was visiting a social networking page that was infected with malware. This malware then spread to the rest of the company and stole online banking and payroll account information. This enabled the crooks to make a big wire transfer to the Philippines. She was able to halt the transfer when it was partially complete, only because of a funny quirk of the crooks. They went to the bank in the Philippines and insisted on receiving US Dollars. The bank only had a small amount on hand, gave it to them and requested they return later for the remainder. That delay meant that when the victim stopped the transfer, the remaining funds weren’t given to the crooks.

 

The second infection occurred when (she believes) her office manager’s computer was already infected with the Zeus Trojan. Then when the manager conducted normal online banking, the Trojan picked up the credentials and sent them to the criminals. They accessed her bank and batched transfers of money to the tune of $450,000. The big difference in terms of her losses was that in the intervening years, the victim had purchased cybercrime insurance as part of her overall risk management plan and that helped her minimize her losses significantly. (Did you even know you could purchase cybercrime insurance? If you are a business owner, that is something to look into!)

 

The cybercrime investigator summed up the experience succinctly: “the world is a scary place.” He sounds like he’s already living well within the “Acceptance” phase of web security grief. Makes sense, given his job.  He also suggested any person, individual or businessperson, identify what they have on their computer of value. It could be customer lists, banking account information, financial records, business plans, etc. What would pain you if it were in the hands of bad people? It might include your personal photos and videos. Take a moment to consider those. Now think how you can “isolate” them from access to a cybercriminal or virus. Can you store them off the network? Can you upload them to the “cloud” with an online storage service?

 

A great suggestion the victim shared is for small business owners who manage large amounts of money or payroll or do online purchasing to acquire an inexpensive netbook and isolate it from the rest of the network. Dedicate it to be used only for financial transactions and limit who has physical access to it. No email, no web surfing, no music file sharing, no online shopping and no social networking. Another suggestion from a Symantec sales engineer on hand would be to set “Guest” access to it so no programs or executables downloaded from the internet could be run by malware or cybercriminals.

 

I’d also suggest adding Norton security software for netbooks to it, as you do with any computer.