There is one universal truth about cybersecurity: all the preparation, resources and infrastructure in the world won’t make a single bit of difference if the people in the organization aren’t aware, alert and on guard against threats.
A recent article I read in The Verge hammered that message home. “How an International Hacker Network Turned Stolen Press Releases Into $100 Million” is a long but fascinating read — if you’ve got some time on an airplane or over the weekend, I highly recommend it. In a nutshell, a hack of newswire websites allowed for insider trading.
To be honest, this is something we’ve frequently discussed in our editorial meetings. Companies send embargoed press releases all the time, and while many of them are fairly innocuous, there are some bigger ones that, in the wrong hands, could really cause some damage — particularly earnings and M&A releases. Imagine, for example, you had your hands on the Open Text/Dell EMC announcement the day before its release — before the markets closed.
Or don’t imagine. Here, from The Verge article, is an example of exactly how one transaction went down:
“On August 3rd, 2011, a press release from Dendreon Pharmaceuticals was uploaded on PR Newswire at 3:34PM and published less than 30 minutes later at 4:01PM, just after the markets closed. The release announced the company’s new drug would not meet its forecasted sales target. At 3:56PM, when it had yet to be published and four minutes before the markets closed, Korchevsky purchased 1,100 put options, a contract giving the ability to sell the stock at a specific price within a specific time period. The next day, Dendreon’s stock fell 67 percent and Korchevsky sold his put options for a profit of more than $2.3 million.”
There are a few commonalities in this story and the myriad others we’ve heard recently in regard to security breaches: a company that is loath to make public that it has had a breach (lack of trust!), a group of people with the technical ability to perpetuate the hack and the knowledge of what to do with the stolen information, and the human factor. That last might be at once the simplest part of the equation and the hardest to control. As one of the hackers noted in The Verge story, “‘You’ve always got the human factor: that one employee who will click on the phishing email or is happy to exchange their password for money.”
We have written often about the need for educating employees. If I may quote myself: “User education is key, and there is no coddling the C-level when it comes to this — everyone must be made aware, and it’s also an incorrect assumption that only unsuspecting or non-tech-savvy users are susceptible.” (Big Game Phishing: ‘Whaling’ the C-Level Target.)
And William MacArthur, threat researcher for digital threat management firm RiskIQ, told us “Ransomware is so dangerous because your defenses against it are often only as strong as your least cautious employee — when one person clicks on an email … the entire network is compromised.” (“The Super Scary, Increasingly Prevalent and All-Too-Real Threat of Ransomware.”)
It’s not just education that’s key, but communication as well — otherwise the education could turn into an embarrassing situation, as it did last week for the Democratic National Committee, which on August 22 reported that it had thwarted an attempted hack — and on August 23 reported that, oops, just kidding, the hack was merely a test. Tests are good — hiring a certified ethical hacker to perform a vulnerability test on your systems is a recommended practice, as Atlantic’s CTO Bill McLaughlin explained in “Becoming a Superhero in the Security World.” Reportedly the Michigan Democratic Party had done just this — they “had hired hackers to simulate an attack known as phishing, but did not inform the national committee.” The DNC has had a lot of security issues and was doing the right thing from a protection and education standpoint — they just missed one little step.
Another big news story from the last week shows that the government itself is well aware of its vulnerabilities and is working toward a solution, awarding a $1 billion contract to security consulting firm Booz Allen Hamilton for its Continuous Diagnostics and Mitigation (CDM) program, with the scope of work to include the GSA, Health and Human Services, NASA, the Social Security Administration, Department of the Treasury and the U.S. Postal Service. How badly is it needed? A May 2018 government risk determination report showed that 74 percent of government agencies have cybersecurity programs that are either at risk or high risk, that Federal agencies are not equipped to determine how threat actors seek to gain access to their information, and only 59 percent of agencies reported having processes in place to communicate cyber risks across their enterprises.
Is this good news? Well, talk is cheap, even if government contracts are not, and we’ll see what actions happen as a result of this contract — but it shows awareness of shortcomings and a desire to fix the problems, and that is never a bad thing.
But let’s look at one more thing to take this story full circle. Take a look at the hyperlink for the $1 billion contract two paragraphs up, and note that it links to a Business Wire press release. What would an insider have done with BAH stock in advance of that release? Since I am neither a hacker nor a trader, I’m in no position to guess — but it makes you realize just how interesting the newswire scheme really was.
Don’t worry, contributors. I hereby promise not to use your press releases to conduct insider trading.