CyberWire-X 1.30.19
Ep 4 | 1.30.19

Case studies in risk and regulation.


Dave Bittner: [00:00:04] Hello, everyone. And welcome to CyberWire-X, a series of specials designed to highlight important security topics affecting organizations around the world. This is the final installment of a four-part series called “Ground Truth or Consequences: The Challenges and Opportunities of Regulation in Cyberspace.” Today, we look at case studies in risk and regulation. We'll examine some of the game-changing, high-profile breaches like Yahoo, Equifax and OPM along with their impacts and lessons learned.

Dave Bittner: [00:00:35] A program note, each CyberWire-X special features two segments. In the first part of the show, we'll hear from industry experts on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view. And speaking of show sponsors, a word from our sponsor, Gemalto.

Dave Bittner: [00:00:56] Your enterprise is rich with sensitive data at rest and in motion throughout the network. But what happens if that sensitive data isn't secure or if it's improperly accessed? We're guessing that regardless of what defenses you have currently implemented, the thought of your data being stolen or manipulated keeps you up at night. Gemalto tackles the two main causes of cyberattacks - identity theft and data breaches. They do this by providing next-generation digital security built from two technologies, secure digital identification and data encryption. Gemalto already operates these solutions for many well-known businesses and governments, protecting trillions of data exchanges. And as independent security experts, they guarantee digital privacy and compliance with data protection regulations. Gemalto puts you back in control of your own data. Visit Gemalto today to learn more about their access management and data protection solutions. You can also check out the most recent findings from the Breach Level Index, which tracks the volume and sources of stolen data records. Go to to subscribe and learn more. That's And we thank Gemalto for sponsoring our show.

Christopher Pierson: [00:02:23] I can remember back in - being outside counsel at a large - a large corporate law firm and handling the first breach. It was, like, July 8 of 2003.

Dave Bittner: [00:02:33] That's Dr. Christopher Pierson. He's CEO and founder of BLACKCLOAK.

Christopher Pierson: [00:02:38] But I think really, the big breaches that were out there were maybe CardSystems, which was a payment card system back in Arizona. That was one of the first big ones. But the one that really lingers in everyone's mind is definitely TJX - yeah, T.J.Maxx. That brand of companies, whereas in 2006 to '07, they had some 46 - it started out smaller - but up to 90 million cards and other unique pieces of information that were - that were stolen.

Christopher Pierson: [00:03:09] So for TJX, a lot of that included driver's license numbers that were written on checks and some other information there, as well as the credit and debit card information. But, I mean, I think really, TJX is what propelled things onto the front page.

Dave Bittner: [00:03:23] And what was the response in the industry to have something like this happen at that scale?

Christopher Pierson: [00:03:29] A lot of the interesting things actually came out of the banks on that one. So there were a large number of banks that had credit cards and debit cards that were associated with that breach. They're the back - not necessarily the back end, but they were the providers of the cards that were actually used. And because TJX was nationwide and because it impacted all the consumers, all the banks were basically saying, well, why are we paying for this? Why do we have to reissue the card? You know, it cost $20 to $30 to reissue a credit card at that point in time. So why do we have to do this? We are otherwise impacted. We need some remuneration. We need something to happen as a part of this breach.

Christopher Pierson: [00:04:05] And it was then that you started hearing a little bit about chip-and-PIN, EMV and that discussion take root. It later on resurfaced with Target, you know, some - some six, seven years later in 2013. But I think that with TJX, it was one of the ones that hit almost all consumers in some form or fashion. It was large enough scale. You had banks getting on the national headlines saying, you know, why should we be saddled with the fraud that's resulting from this? Because it was active fraud, especially on the card's side.

Christopher Pierson: [00:04:36] But on the flip side, you know, as a - as a part of the settlement, you know, what's interesting is a part of the key settlement, what consumers actually got that were otherwise aggrieved - I mean, yes, some credit monitoring and all the rest if you hit the right trigger categories for information stolen. But they also got, you know, some $50 - I forget what the exact amount was - $50 worth of TJX gift cards to go back and shop again at the store. So it was a masterful settlement by outside counsel there in terms of funneling the people that were aggrieved right back into the stream of commerce, back into the store.

Dave Bittner: [00:05:08] Now, how did a breach like that affect people's approach to to calculating their risk. Did it cause a recalibration? You mentioned how the - you know, the banks were kind of pointing the finger at the retailer and saying, well, wait, this isn't our fault.

Christopher Pierson: [00:05:23] Yeah, you know, in terms of risk, I think this was the one case that, when it started out, this was the one case that everyone, whether you were in - I was, you know, the chief privacy officer of Royal Bank of Scotland at that point in time. But, you know, it was one of those that was being used not just in the financial space but in the health care space and aerospace and defense and all these different sectors.

Christopher Pierson: [00:05:43] Everyone was pointing to the TJX incident, TJX breach, and saying, that could happen here within our own company in some form or fashion. And we need to be prepared. We need to start making sure we have the right controls. We need to be making sure that, from a risk-alignment perspective, we are actually upping and categorizing this cybersecurity risk as something that is more definite on our risk inventory.

Christopher Pierson: [00:06:08] And then, I mean, you're talking, yes, there was, you know Archer Systems and a few different things that were percolating from a GRC, a governance risk and compliance side. But really, a lot of people were still locked in Excel spreadsheets then. And I think it's at that point time that you start to get these line items for, you know, hackers break in. They steal something of value, steal card data, you know, SSNs, driver's license numbers, other pieces of information. That's where I think things really started hitting on the risk registry in terms of making sure that cyber was one of those things that you would actually have and that you would take control of and really try to mitigate the risks of.

Christopher Pierson: [00:06:46] For many, many years afterwards - and for some companies still today, but for many years afterwards - easily until 2013 to maybe 2015, cybersecurity's an IT issue and an IT issue exclusively. So yet for another seven to eight years, it's entirely an IT issue. TJX didn't change that conversation, unfortunately. It was still, hey, let the IT guys handle it. IT's in charge of it. It's an IT problem. It's not a reputational risk problem. It's not an overall business problem. It's not an overall operational problem. That's where the dialogues kind of died down.

Dave Bittner: [00:07:21] And these systems were not making significant use of encryption at the time either?

Christopher Pierson: [00:07:27] No, not really. I mean, you had - you know, in 2007, 2008, you finally had, you know, people saying, hey, we should really look at all laptops being encrypted, all mobile devices being encrypted. But, you know, it wasn't until Massachusetts CMR 17.00, where it actually, as a state law, pushed out a mandate that all mobile devices be encrypted - and it wasn't until that point in time, which really, those regulations took effect in March of 2010.

Christopher Pierson: [00:08:00] So it wasn't until 2010 that there were some stick there to say, you must do this if you have a Massachusetts resident as your customer or you're doing business in Massachusetts, which, of course, you know, many companies were doing in terms of having customers - almost, you know, equal weight to California. California being the biggest stick, obviously, with, you know - I forget what it is - fifth-largest GNP in the world.

Christopher Pierson: [00:08:22] But as a result of that, you know, encryption was starting to be pushed in in terms of mobile devices, in terms of pushed in in terms of phones, maybe even little more laggard there until 2012 and '13 on phones. But, you know, database-level encryption was not widely in use. In some places, you were actually doing field-level encryption for just that specific field.

Christopher Pierson: [00:08:45] But when marketing would take the data out of one database and create a new data warehouse, you know, the information would be unencrypted again and so on and so forth. So you really had data propagation in terms of - or proliferation, in terms of it going everywhere, and that - that key level of encryption, if it existed, only existing in that one place. So still very, very, you know, kind of raw and new in terms of encryption for large companies.

Dave Bittner: [00:09:13] I want to go through some of these high-profile breaches with you.

Christopher Pierson: [00:09:16] Yeah.

Dave Bittner: [00:09:16] And get your take on, you know, where they stand - where they stand out and sort of the lessons that the industry and the public learned from them. Why don't we start with one of the biggies? And that's Yahoo from 2013.

Christopher Pierson: [00:09:29] Yeah, I mean, you know, the Yahoo breach or breaches - right? - 2013 and 2014, you had some 500 million in the first, and then, you know, kind of the resulting. I think the grand total is around 3 billion in terms of usernames, passwords and other information there. I mean, you know, certainly the biggest - certainly one of the most impactful in terms of just about everyone had, as a stopping point - I mean, at some point in time, everyone had some type of AOL, maybe a Hotmail. Definitely everyone had some type - type of Yahoo address.

Christopher Pierson: [00:10:00] And of course, look, the end users using this - password safes, you know, weren't in wide existence back then in easy format. You know, there are a number that are standalone, now a number that are cloud-based and online and apps. But, you know, highly likely, if someone had a Yahoo email, that their password to that email was the same as it - to Gmail, same that they were using in - at work, and they were using other places or with some minor modifications.

Christopher Pierson: [00:10:25] I think as I - as I look at Yahoo, great data trove to find out what someone's password is, see if they're using it similarly on other websites and attack them at those websites in terms of their corporate life or other associations that they may be a part of, especially associations they may be a part of that could yield you other information, other intelligence or point out weaknesses in them, especially if you want to target that individual or that company. Also a good treasure trove in terms of - right? - documentation, I mean, everyone putting their airlines or their rental car, the hotels or whatever, into Yahoo over the years - and, you know, obviously equally Gmail. But, I mean, you know, Yahoo seems to be the one-stop shop.

Dave Bittner: [00:11:05] And what have we taken away from that? What were the lessons learned there?

Christopher Pierson: [00:11:09] Well, I mean, I think there's a few different things. First of all, obviously you have large-scale breaches over a number of different years, a number of different, you know, kind of quote, unquote "administrations," if you will, within Yahoo. I look at it as a, you know, a cultural issue, a cultural problem from the outset. So there is a problem there in terms of culture. There's a problem there in terms of governance. There's a problem there in terms of the realization and the acknowledgment from the top on down, from the board and C-level suite on down that, at the end of the day, they are a data company.

Christopher Pierson: [00:11:41] They live and die off of data. Therefore, they must be a cybersecurity company, and it must be baked into everything they do. From all public accounts, it looks like it was an uphill battle and, in many instances, to get the funding and the things that they needed to be done. But that's no excuse - none whatsoever. Seems like absolutely the wrong culture, something in opposite to storing and safeguarding, you know, however number of many of people and accounts and or amount of data that they had and held.

Christopher Pierson: [00:12:07] So I look at it as that's one massive lesson in terms of, you are a cybersecurity company. You're an IT company. The two things go together. That lack of realization, in terms of Yahoo, of not saying, well, yeah, we make our money via marketing, but we are only able to exist because of our name and reputation and goodwill.

Dave Bittner: [00:12:26] Yeah, let's move on and talk about Equifax. I mean, that one was particularly damaging, yes?

Christopher Pierson: [00:12:31] I mean, that's probably one of the most damaging breaches ever. And it isn't just a, Dave Bittner's record is exposed in terms of he has a Citibank card, an American Express card and a home loan here and a car loan there. I mean, that's - that's, you know, obviously personal and private information, yes. The biggest thing for the breaches is what all the banks use and mortgage, financial companies use, even government uses, which is it's the single source of data input for what's called KBA - knowledge-based authentication. So, you know, you, Dave, when you're, you know, trying to buy that new ski chalet. You're filling out the - I know (Laughter).

Christopher Pierson: [00:13:12] But you know, when you're filling out all that information and it's trying to ascertain your identity, it's asking you those questions. Dave, what was the first color of car you got? Who was your first home mortgage with? You know, what was the first credit card you got with? Who was the bank behind that? Those are all KBA - knowledge-based authentication - questions, proving to that third party that you have a degree of knowledge about your financial patterns and other things about your life over a 10, 20, 30-year history, period of time. You can't erase them.

Christopher Pierson: [00:13:45] Your first car was purple. It just is what it is, you know? It was a Dodge Dynasty. And it was Acme Insurance Company and Acme, you know, Mortgage Company for the house. You can't change those. This knowledge-based authentication is the backbone for the banks, credit card transactions and other things that we do that are more financial nature.

Christopher Pierson: [00:14:03] And that entire database, really - half of the population of the United States is gone. Someone else has it, has access to it and can figure out all of those answers for what 50 percent of the United States consumers are doing as it relates their background. That's really damaging. And the only thing that's actually going to make it less risky is time, i.e. another 30 years, really, to wash through the system. We can't do anything about that. It is what it is.

Dave Bittner: [00:14:32] I want to talk about some of the breaches that weren't so much consumer-focused but that really could kind of hit us at a nation state level. I'm thinking about the OPM breach. I'm thinking about the Sony hack and even things like, you know, Ashley Madison, FriendFinder, where you're getting personal information that could be used to extort someone.

Christopher Pierson: [00:14:53] When you take a look at those tools that are useful for, yes, intelligence purposes but also for ransom or extortion or reputational issues, I mean, it doesn't get any better than OPM. Office of Personnel Management has the SF-86, standard forms, that are the entry point to apply for classifications or clearances within the United States government, whether it be confidential, secret or top secret and above, you know, this is the one form, one size fits all. And the information on that form is incredibly, incredibly sensitive, incredibly personal.

Christopher Pierson: [00:15:30] And it's not just on the individual. It's on them, the spouse, significant other, the kids, their parents, the significant other's parents and relatives, any foreign contacts. I mean, it goes on and on and on. Well, that information in one easy-to-find document that can be indexed, OCRed, stolen - and even if it's the old-fashioned written forms, stolen and then OCRed later on - I mean, is a treasure trove for any intelligence agency anywhere in the world, period. Not only does it tell who someone is, you know, give, potentially, weaknesses about them - because it's illegal to lie on that form - and it potentially tells others who to get to to get to that person.

Christopher Pierson: [00:16:12] All of that taken together is - I mean, it's like the perfect roadmap - really, a perfect roadmap. The same thing in terms of like - from a flip side. You know, Ashley Madison, FriendFinder, I mean, these are 2000 - what? - 15, 16. I mean, if an intelligence agency is able to get active knowledge of active users on those types of sites, perhaps put people in place, exploit them, exploit the individual, embarrass the individual - I mean, you know, kind of a treasure trove there once again.

Christopher Pierson: [00:16:40] And same thing in terms of, you know, some of the IP breaches in Sony, just, you know, a little bit different - the embarrassment or the extortion factor of Sony, but we're also going to steal your intellectual property. I think, you know, one of the James Bond movies, the script was stolen. A few other things were stolen in there. But then - dot, dot, dot - the extra add-on is, oh, and by the way, since your exchange server is next door to all this fun, cool stuff, we're going to look through all of your emails and find the most embarrassing emails that we can about the best stars that are out there, the ones that make you the most amount of money. And we're going to expose those emails of you complaining about Brad Pitt or complaining, again, about whatever store - star it was.

Dave Bittner: [00:17:21] Right.

Christopher Pierson: [00:17:22] And - right, I mean, that goes straight to the bottom line.

Dave Bittner: [00:17:25] Yeah, absolutely. And I wonder, you know, when you look back at some of these big breaches, is there any thread that goes through them where if only we had done this, if only we'd thought about this, then maybe this wouldn't have happened?

Christopher Pierson: [00:17:41] Well, I think there's a tactical piece of that that needs to be there. But at a higher, strategic level, I think most certainly. It is absolutely a miss in terms of each one of these companies not putting enough value on the data that they have and hold and the value to them in terms of damage and reputational damage and branding damage and/or operational damage to the loss of control of the data. There, somehow, is this misnomer that even though the data isn't gone and can never, ever be found, that it still can be damaged and the company can be damaged by others having access to it or control or your losing control to it. And it's that inability to accurately risk rate what you have and translate it into how this makes you money, how this makes the company survive and how this actually, you know, promotes and supports the products and services you have.

Christopher Pierson: [00:18:37] It's that - I mean, I go back to the risk equation here in terms of if there was a proper risk assessment that was done, that was well understood - not an IT risk assessment, talking about a business risk assessment. What is it that actually makes the company go? I would hasten to say across all of these companies, they didn't actually say, what can make us or break us in the digital realm? And what do we want to do about it? How do we want to act on this? And do we, the board, approve it? Do we, executive management, approve it? Do we, the one person who's in charge of cybersecurity, you know, approve it? And we didn't do that. And I think that's a theme throughout all of these.

Jason Hart: [00:19:23] We've learned nothing, if I'm really true. If we go back all the way to TK Maxx, Heartland Payment Systems, the RSA security breach, every breach that we've seen today is what I call a confidentiality breach.

Dave Bittner: [00:19:35] That's Jason Hart. He's CTO for enterprise and cybersecurity from our show's sponsors, Gemalto.

Jason Hart: [00:19:42] It's where data's been compromised and exposed and published. And that's been done, in some cases, because it was very simple to do, to expose the data, the data that is being used to conduct other forms of attack or breaches. But ultimately, as per with the previous podcast with you, Dave, it's always about data. The bad guys have this ability to get access to data, sensitive data, expose that sensitive data, when actually they shouldn't have been able to do that.

Jason Hart: [00:20:13] So for me, to date, every breach has been a confidentiality breach. Reputational impact, financial impact, etc. But we're entering into a world of what I call a world of integrity attacks, which is going to bring us a world of bigger pain than we've ever seen before.

Dave Bittner: [00:20:32] Well, let's dive into that. What do you mean by that?

Jason Hart: [00:20:34] Every breach that's happened today, it's been about exposing the data. You know, there's been reputational impact, and some in some cases there's been some substantial fines. But the way we consume data and use data today, we make business decisions. So what about if the bad guys may have already altered data, altered the integrity of the data, for a downstream effect? So let me give you an example. And this is purely a theoretical example.

Dave Bittner: [00:21:01] Right.

Jason Hart: [00:21:02] So as you may have gathered from my accent, I'm from the England. In England, in the U.K., I live in a very rural village. And it's a farming community. I have two neighbors, both farmers, Will and George. They're brothers. Going back 2 1/2 years ago, one Sunday afternoon, George and Will wanted to come around. You know, in a very English farming way in North Somerset, we were - they brought some cheese and then brought some cider. But the key reason they came around was to show me their new tractors. One had a Massey Ferguson. One had a John Deere. And what they were really blown away by was the automation, the IoT, the telematics. So their new tractors could actually identify the crop quality, the soil quality, the yieldage (ph), the acreage, etc. So from a farming point of view or farmer's point of view, that was providing them a lot of valuable information.

Jason Hart: [00:22:00] So for me, I started thinking in my odd way, as I do, like a bad guy, providing some situational awareness around the whole situation. So as a farmer, I understand the need. I sign up to a subscription. I get this data. This data, I can use to monetize my farm. I can get more yieldage, etc. Brilliant. However, from a manufacturer's point of view, you know, it's an additional amount of revenue, but it's not a huge amount of revenue in contrast to what the machinery costs, etc. So I was thinking, OK. I'm the manufacturer now. So now I have visibility, or I have data sets of the yieldage for the crop quality or the soil quality across the whole of the U.K. That's interesting. And again, this is all theoretical.

Dave Bittner: [00:22:47] Right.

Jason Hart: [00:22:49] Now I have that data set to say, actually, the crop quality is going to be - is poor, or whatever. I've got some insight. So maybe with that data, I could sell that data on. So, Dave, who would you sell that data set on to?

Dave Bittner: [00:23:03] I guess the nation next-door who you're competing against in selling your crops?

Jason Hart: [00:23:08] Or what about now suddenly we start selling onto the commodity markets to give them insight to, actually, the U.K. or Europe. Maybe, you know, the crop quality is lower. You know, it's real-time data. Or, actually, the soil quality, because of, you know, the lack of rain, or whatever. So you've got this real-time data.

Dave Bittner: [00:23:24] Are we going to have a good year, or not?

Jason Hart: [00:23:26] Exactly. So now they can bring that number, or they've got that data set so actually they can formulate into some of their analytics.

Dave Bittner: [00:23:33] Right.

Jason Hart: [00:23:34] So now think like a bad guy. What if I could access all of that IoT environment and alter the integrity of the data knowing that the flow of that data is most probably being used to actually look at the, you know, the futures market or whatever, or the commodities markets. So now knowing that, as a bad guy, if I was to, every piece of data that was entered and then put back up into the cloud, divide it by two, I can actually control the commodity market. And at the same time, I can legitimately put money on the commodity markets but alter the integrity of the data that's going into effect that price. That's what we call an integrity attack on a grand scale.

Dave Bittner: [00:24:14] And so what's the mitigation to that? How do you shepherd that data through to make sure that the integrity is there from start to finish?

Jason Hart: [00:24:24] And that's my point. To date, we've barely protected the confidentiality of data. No one's actually thinking about the integrity of the data, is it true? So we can take a thousand different types of businesses and say, right, those businesses are using data to make appropriate business decisions. At what point are they validating the input and the output and the integrity of it? So a bad guy, all he needs to do now is, at some point in the lifecycle of that data, just manipulate the integrity of that data to effect a downstream effect or have a consequential impact.

Jason Hart: [00:25:00] My point here, Dave, is at the point an organization finds out that they've been susceptible to an integrity attack, they've made business decisions already. Within a confidentiality attack, yeah, it's publicized, it's in the press. There's reputational impact, maybe some financial. Business moves on. Integrity attack, it's going to be too late because the damage has already been done two years ago. And you've actually been using that data to make appropriate business decisions. It's a very, very dangerous form of attack, and it's what I call the invisible attack which is going to come and bite our backsides.

Dave Bittner: [00:25:36] And I could imagine, particularly in regulated industries, you could almost have a double whammy where if you'd been, unbeknownst to you, reporting faulty data, well, the regulators are going to have a problem with that as well.

Jason Hart: [00:25:52] Totally, yeah. And again, the integrity attack could have happened three, four years, you know, prior to, actually, the regulator realizing. So now where do you go from here?

Dave Bittner: [00:26:04] So I mean, looking at our history of some of these high-profile breaches, what leads you to this conclusion that this is the direction we're heading?

Jason Hart: [00:26:12] I always tend to look three or four years ahead. We're starting to solve some of the confidentiality issues. We're not learning, OK? We are getting there. Again, it all comes down to the previous podcast with you, Dave. It's all about data. We need to look at our data and understand, what are the likelihoods? What's the probability? What's the type of attacks? Is it a confidentiality risk? Is it an integrity risk? We're starting to solve some of the confidentiality risks, you know, the likes of GDPR, etc., for an organization, protecting data at rest, at source, in transit, etc.

Jason Hart: [00:26:46] But we'll also need to start thinking about new types of possibilities of things occurring. But as organizations become more secure, the attack surface moves elsewhere. And then, ultimately, it's all about making money from data or monetizing data. So now the bad guy is going to go, right. What if I can affect a cause or create a cause to occur to the left to affect a cause or an impact to the right to monetize?

Dave Bittner: [00:27:13] What is the solution to the integrity-focused attack? If we - you and I have talked previously about using encryption, technological solutions. If I take care of the basics, is that going to protect me from this as well?

Jason Hart: [00:27:28] Great question - nothing's changed here, Dave. It's the basics. So again, if we go back to the - you know, in time, you know, when - in the Victorian times, I would send a letter. There would be a wax seal on it. And if that was open or the seal would've been broken, guess what? I know the integrity of that letter has been compromised. No different - the controls to solve this problem are right there. They've been around for many hundreds of years. The technology's there - cryptography, key management solves these problems.

Dave Bittner: [00:27:59] Dare I invoke the name blockchain. Could that be a solution - having an open ledger?

Jason Hart: [00:28:05] Hugely - you know, so, again, you know, we're in a world of centralization. Going decentralized in ledger - 100 percent.

Dave Bittner: [00:28:12] If I'm a board member and I'm thinking about the things that should be on my radar in terms of risk, how should I be approaching from that direction?

Jason Hart: [00:28:24] So from an integrity attack, if you have done what I've previously outlined in my previous podcast with yourself, I have a risk register of data. Within that risk register of data, I know that certain types of data has a higher level of risk from a confidentiality integrity point of view. I need to ensure that the data which, potentially, could be affected from an integrity attack has the appropriate controls.

Dave Bittner: [00:28:49] Have what we've seen so far - have any of the high-profile breaches - have any of them been integrity attacks?

Jason Hart: [00:28:56] There's been - certainly been a couple in the U.S. The names of them have kind of gone from my head. But there's been a - in the legal sector, where MNA activity has happened, the integrity of some of that data has been used, yes.

Dave Bittner: [00:29:12] For organizations who are looking to get their head around this, where do they begin? What's your advice? How do we get started?

Jason Hart: [00:29:19] Again, it's about data, so understand the supply chain. We're in a world of technology now where the IT device is driving other kind of technologies. The data's being used to make other business decisions. Understand the flow of your data, the types of data, and at each level, ensuring that the low-hanging risks are mitigated.

Dave Bittner: [00:29:38] Do you feel like the message is getting out there?

Jason Hart: [00:29:40] No, I still think we are in a world of, well, why would someone target my organization? From a bad guy's point of view, they do it because they can. They do it for self-gratification. They do it for monetary reasons, country on country. There isn't always a real reason why they would target a particular organization. If you're an organization where you're not applying the appropriate security controls, the bad guys will target you. You may not even know they've targeted you. But at points in time, it will become apparent.

Dave Bittner: [00:30:11] So let me - again, getting back to this notion of looking at some of these high-profile breaches that we've seen over the past few decades, when you look at them, is there a common thread through them that if only they had done this, then these high-profile breaches might not have happened?

Jason Hart: [00:30:26] Yeah, 100 percent, Dave. You know, if we look in the past 21st century and look at the top 17, you know, breaches that have occurred, you know, they all had one thing in common. It was - one, it was data. But if they were applying the appropriate encryption and key management controls to that data, yes, they would've been breached. But it would've been, what I call, a secure breach. The data would've been rendered useless. We need to start applying the basic security controls - encryption, key management, forms of multifactor authentication. By doing that, we've vastly reduced every breach that we see to date. Until we do that, we're going to continually see the breaches on a daily occurrence. We apply the appropriate security controls to the data that actually matters.

Dave Bittner: [00:31:12] That's Jason Hart, CTO for Enterprise and cybersecurity at Gemalto.

Dave Bittner: [00:31:17] Thanks to them for underwriting this edition of CyberWire-X. Be sure to visit to learn more about their access management and data protection solutions and also find out about the Breach Level Index, which tracks the volume and sources of stolen data records. That's

Dave Bittner: [00:31:38] Our thanks to Dr. Christopher Pierson from BLACKCLOAK for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity startups and technologies. Our coordinating producer is Jennifer Eiben. Our CyberWire editor is John Petrik; technical editor is Chris Russell; executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.