Can you help me damage or may be ruin your business?

There is a lot of talk lately about Shirbit insurance company, that was breached and major part if not all of it’s confidential data was leaked out – client’s bank accounts, credit cards, insurance plans, medical data(Link)…The damage is large, no doubt. The exact attack vector is still uncovered to the best of my knowledge, but I’d bet my monthly salary it is one of the 3 main routes: a. Use of known and unpatched vulnerability, b. Targeted attack, starting with fishing or similar, c. A “by chance” attack – for example someone used his work computer to plan a holiday and by chance landed on breached page or downloaded a videoclip with malware in it (BTW the last one is a real use-case, I have experienced during my career).

There will be much talk about it later in all kinds of media sources, so I don’t wish to bother you with it. What I want to talk about is a broader perspective.

After all, no matter what was the attack vector it did result out of some mistake: unpatched soft, fishing, misuse of company computer…As I have stated in my previous article – there is a large gap between general awareness and implementation so that is the real problem. There are systems and solutions, designed to at least monitor and alert if something suspicious happening, but those are sometimes either used incorrectly or at worst cases aren’t used at all. No, I am not talking about firewall or antivirus: those are used pretty often (although I did see once firewall configured for any-any overriding all rule, no kidding).

What I am talking about is much simpler solutions in terms of software design, but for some - more complexed in terms of implementation. I will provide a true story example, as I love to do. So once upon a time, well approximately 2 months ago, someone, let's call him Z, had a conversation or an argument with someone in a technical IT-related position in one very large organization, one that has millions of customers and market cap of billions dollars. One of the leading service providers in a world, actually.

It actually wasn’t a conversation even. To be correct it was a job interview on which Z was asked a question regarding SSL encryption. The question was if Z recommends to use it at all in a web-facing application in containers. Z replied “yes” of course and as it often happens Z, being a cyber-security person and an interviewer, coming out of IT world didn’t see eye to eye. He said to Z: ”You don’t think big. Imagine if it’s not one app, but thousands of containers. Do you realize what implication it’d do on latency or on the price, that this customer will need to pay?”. Z replied – “I do and I’d still recommend the same, because although breached container could be brought down/erased and new could be fired up instead, I am still sticking with my point of view because first you need to detect that breach and by that it might be too late – just one time breach, but one time too much”. Btw: one nice example of escaping a container and eventually obtaining root permissions, you can find by following LINK. Z was not selected for that position - locking horns with an interviewer is a dangerous move. Though Z's interview isn't the issue here - estimating risks as a function of revenue is.

It’s not an uncommon issue = polar views between IT and security departments, sometimes finance also gets involved. Cyber security solutions cost in terms of latency, bandwidth, computing power, ultimately resulting in an increased financial costs. Thus, sometimes, they are not being properly implemented in favor of immediate monetary gain. Officials tend to estimate risks in terms of single component of the network or at best – group of components. That is, however, a problematic approach. Risk should be estimated by a potential damage of someone using smallest component of the network as a way to get wider access, like in the example with the containers, provided above.

This last breach, as many others before it show one simple thing: cyber security, despite it’s high cost actually serves as a good insurance for you. Let’s think for a moment on Shirbit's example the implications of a successful cyber attack against your business. Well, they are insurance company. Now everyone knows their cyber-security is very lacking and all your data, supposed to be confidential might be leaked. Tomorrow you will be approached by their rep, who will offer you to join and be insured at one of their insurances, will you think twice about that? May be more then twice? Will you turn that offer down if you see something small, that would not even catch your eye, if it’d be some other insurance company?

It doesn’t really matter what your business is: a private startup, large public company, vegetables store. It doesn’t. The seasoned exploiter will always find something he can use – yes even in vegetables store, that doesn’t hold any databases, but does make financial transactions and breaching it will allow an attacker to get credit cards, used by customers of that store. Or may be it’s computers will be used for attacking someone else. Or mine cryptocurrency or simply push likes to social media. Many scenarios.

In any case there will be an immediate damage and long term damage. Immediate damage is one like ransom, demanded by exploiters. Even if you decide to strike a deal and pay, wouldn’t it be better to invest that money into cyber-security and not have this event? I bet it would.

Besides immediate damage, there is also a long term damage:

If you are an investor and a startup with a breach history will come to you, seeking an investment, will you be more harsh with them, despite their claims of correcting the issue?

If you want to buy stock and you're not seasoned day-trader, but an ordinary folk, seeking to increase his assets (like vast majority of people) would you risk your money with public company with a serious security breach history or will you prefer those who didn’t have such a history?

If you seek an insurance company will you go with one, who has been breached before or will you prefer one who hadn’t?

It’s all simple psychology: one will tend to go to a physician without records of patients passing away, even if the other one(who has record) will significantly drop prices.

That’s the long-term damage: credibility history. Shirbit was demanded to pay 1 million USD in BTC. They refused. But suppose this 1 million they’d invest in proper cyber-security or in rechecking their seals, say 1 year ago, instead of saving it and having more revenue. It’d be much better, because then this event wouldn’t happen and both immediate damage and long term damage would be avoided.

Cyber-security is not a cheap endeavor, but it acts as an insurance for you – you pay now to be ready for “just in case”. So next time you think of your app, serving thousands, tens of thousands and more customers, think if it’s worth it to go for lower costs now, but risk everything later. One time can be one time too much and statistically (if I am not mistaken) in the infinite time period, probability of a single event happening is close to 1.

Or will you kindly help damaging and may be ruining your business?