[BreachExchange] An Increased Cyber Attack Surface Area

Fri Apr 7 13:55:48 EDT 2017

http://www.securitymagazine.com/blogs/14-security-blog/
post/87954-an-increased-cyber-attack-surface-area

Ever hear of the term “attack surface area” in cybersecurity? It is a
concept of cyberattack defense in depth.

It refers to the exposure we have associated with all communications and
devices connected to those networks and more recently devices connections
through intermediary systems and equipment that connected to our networks,
including the Internet. As the connections increase, so does our risks of
being successfully attacked.

All the emerging technologies like the Internet of Things (IoT),
self-driving vehicles, advanced robotics, artificial intelligence and more
will dramatically increase the cyberattack surface area associated with the
organizations, all of which you must protect. While that is a big
challenge, there is another related issue that just popped up in
conversations that deserves some thought. Some are beginning to believe
that the victims of DDoS cyberattack may begin to routinely bring legal
action against the owners and equipment vendors of a compromised systems
and devices used to generate the DDoS used to disrupt systems. The
conversation quickly moved to the fact that many of the equipment/devices
traffic do not come equipped with cybersecurity and really do not easily
allow this to be added in the aftermarket.

The initial conversation evolved into an interesting topic that is deeply
concerning on many levels. What will legal implication be when some of
these vulnerable devices used in transportation, medical facilities, or in
home healthcare become compromised and contribute to the death of an
individual or individuals?

I asked Benjamin Wright, Attorney and SANS Institute Instructor about this
issue and he said,” I think the risk that a chief security officer or chief
information security officer would be criminally charged for some kind of
failure is a real long shot. Those are mid-level corporate officers who
report to higher executives. Holding mid-level corporate officers
criminally accountable for actions by their corporations is exceedingly
rare. To charge them criminally, the prosecutor has to possess a tremendous
amount of evidence showing direct intent to do something wrong.”  He also
explained more generally, “As technology changes, the possibility for new
kinds of lawsuits grows. The history of technology law is filled with new
kinds of lawsuits and new liability as unexpected things happen when the
new technology is implemented. Vendors who sell new kinds of technology
such as the Internet of Things always face some kind of legal risk. That's
just the nature of our society.” He added: “Yes. I do believe lawsuits like
those that you describe could motivate orgs and vendors to be more
proactive with security.”

CSOs and CISOs are becoming primary targets of post-breach litigation. Just
look at all the legal actions surrounding the huge data breach at the
Federal Office of Personnel Management (OPM). There have been and are a
number of causes for action surrounding this incident. Most of them seek to
hold the organization and individuals accountable for negligence, privacy
violations and multiple other causes of action.  Now for the million dollar
question: there are legal actions that will likely be precedent setting for
litigation against CIOs, CSOs and CISOs in future cyberattacks and data
breaches. Could claims of negligence with respected to cybersecurity
shortcomings bring criminal charges against CIOs, CSOs and the CISO? While
they are certainly facing civil actions, but bringing criminal charges is a
more serious risk. Will all of this lead to all organizations and vendors
becoming more proactive about cybersecurity and build defenses in?  Who
knows, but let’s hope so. Perhaps the best thing to do is to speak with a
lawyer about how professionally liable we might be if the systems we were
hired to protect get compromised, and as always, keep accurate and timely
records of all documents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170407/9a1ce34c/attachment.html>