What could go wrong?  As an information security manager, I have often been asked that question.  But, there are two ways it is asked.

The first is my preferred way.  It is a genuine effort to identify and evaluate the risk associated with the item at hand.  That is a conversation I want to have.  That is a thought process I want to encourage.

Then, there is the other way.  Instead of trying to identify risk, it is asked as if to imply that there is nothing that could possibly go wrong with whatever is being proposed, and only a fool would could think there would be.

Let’s examine four use cases to see what could go wrong when asking the right questions.  Read each one and stop to ask yourself what could go wrong before reading the outcome.

CASE 1 – THE AMBITIOUS EMPLOYEE

Joe was an ambitious guy.  He was an engineer for a leading HVAC manufacturing firm.  He wanted to improve his business skills so he enrolled to take some business classes from a local college.  During class he was introduced to a new presentation manager called Prezi that seeks to go beyond PowerPoint.  It operates on the desktop and in the cloud so you can access anywhere on any of type of device.  Best yet, there is even a free version.

WHAT COULD GO WRONG?

Joe was involved working on a building project for a major technology company who is well known for their secrecy.  The building plans were very sensitive to the customer.  Joe’s team was providing the Heating, Ventilation, and Air Conditioning (HVAC) systems.  Joe needed to do a presentation outlining their plans for the building.  Wanting to do the best job possible, Joe decided to use Prezi and his new skills to develop his presentation.  Joe did not consult with anyone before making this decision.  This was unfortunate because Joe was using Prezi’s free option that makes every presentation public.  When the presentation was made, the customer immediately noticed this and realized that their sensitive building plans had been published in the public domain.  I will leave it to you to imagine the damage to the relationship between Joe’s employer and their customer.

CASE 2 – THE WEAKEST LINK

A major technology firm provides one of the most widely used two-factor tokens in the world.  Their security background and their recognition of the role their products play in their customers’ security processes led them to employ a very sophisticated defense.  They are also a large firm with a significant need for high quality employees.  To meet this need they work with a reputable recruiting firm to identify qualified candidates.

WHAT COULD GO WRONG?

A spear phishing attack appearing to come from the recruiting firm was launched against four low-profile, seemingly low-value targets in the company’s HR department.  The company’s defenses worked well.  You could almost say they worked perfectly.  But, they didn’t.  One of the four employees noticed that an email from their external recruiter had ended up in their Junk folder.  The defenses had done their job.  However, it looked important because its subject line read, ‘2011 Recruitment Plan.’  The plan was contained in an attached spreadsheet.  When the spreadsheet was opened, it was empty except for a zero-day exploit that installed a backdoor through an Adobe Flash vulnerability.   That is all it took.  With that toehold the attackers worked their way through the system until they stole the core security algorithms central to the company’s products.  The breach cost $66 million in the next three months alone and over $81 million over the following year.  That does not include the $100 million cost to their banking industry customers or damage to the company’s brand value.

CASE 3 – IMPROVING VENDOR SUPPORT

A national discount retail chain had to manage all of their stores’ physical facilities including their HVAC systems.  Since this was not a core expertise, it made sense to outsource HVAC to a company that specialized in those skills.  To facilitate their business relationship, the retailer provided the HVAC company’s staff with access to their network for electronic billing, contract submission and project management.

WHAT COULD GO WRONG?

Hackers utilized what is often called an island hopping attack.  Rather than targeting the retailer directly, the attackers focused on the retailer’s business partner.  They managed to launch a successful spear phishing attack against one of the HVAC staff members.  While the vendor maintains its “IT system and security measures are in full compliance with industry practices”, it reportedly used an “a free anti-malware program that ‘does not offer real-time protection against threats.’”

As an aside, this begs the question of whether or not the vendor even knew it had been breached.  But, more importantly it highlights how your security is only as good as your vendor’s securities too.  Using the vendor’s account credentials, the attackers were able to ultimately gain access to the retailer’s payment processing systems.  They then installed malware in the point of sale terminals used in the stores to process credit and debit transactions.  In the end over 75 million of the retailer’s customers credit card information including PIN numbers were stolen.  In the first month the retailer reported $61 million in breach related costs and the 2014 costs can only be speculated upon.  It is reasonable to think it will amount to hundreds of millions and that the relationship with the HVAC vendor is severely damaged.

CASE 4 – THE ONE THAT GOT AWAY

The CIO for an online pharmaceutical benefits provider was going on vacation in Italy.  To help him to continue to stay on top of his responsibilities, he was provided with a mobile hotspot provided by one of the major wireless carriers.  During a layover in Toronto, he used the hotspot and it worked perfectly.

WHAT COULD GO WRONG?

The day after the CIO made his layover, the controller of the company received an email from the carrier saying that several thousands of dollars in charges had been racked up on the hotspot.  A link was provided for the controller to view the expenses to determine if they were valid.  However, the company had provided its employees with training on how to recognize potential phishing attacks.  As a result, he contacted the company’s information security team.  They examined it and determined that it was a phishing attack that could have led to a breach in their systems.  Another aside – note that the controller did not have to be an expert in phishing attacks.  That was the IS team’s job.  He just had to be aware enough to think that the email may be suspicious and to ask what could go wrong.

Sincerely asking “what could go wrong” is the simplest and most effective information security tool you could deploy.  It starts the thinking process that is the core of risk management.  And, its greatest value is that it is so simple that everyone in the enterprise can use it.  Finally, it offers the opportunity for the business community to engage with the professionals in risk management or information security to determine the best path forward to maximize business opportunity while minimizing risk.

Just imagine how much risk in your organization would be reduced if everyone simply asked, “What could go wrong?”

Bio:

John Millican is a business-first manager with strong experience in driving value to the enterprise through IT and Information Security (IS). His experience is divided between positions in both industry and third party IT service and Information Security provision.

John developed and led the global Information Security team for Expedia Inc. as its Chief Information Security Officer and was VP of IT Operations for Hotwire.com. He also founded and led a twelve person independent IT/ Information Security service provider. Clients and employers have ranged from small wholesale/distributors to regional financial institutions and Fortune 1000 Internet-based companies.  John’s most recent efforts have been focused on assisting clients with implementing Information Security programs, obtain ISO 27001 certification and to implement continual improvement methodologies within their organizations.

He is a Certified Information Systems Security Professional (CISSP) and was the first person to be certified by the SANS Institute for its core security programs – Windows Security, Unix Security, Intrusion Detection Analyst, Incident Handling and Firewall Analyst.  Additionally, he was co-author of the SANS Security Essentials Toolkit.

John has a Bachelor of Science in Business Administration degree from the University of Akron.