Product managers deal with technical debt all the time.  They make priority decisions each sprint whether to build a feature or retire some technical debt.  Privacy debt is the new technical debt.  Privacy-related issues have become critical.  So far in 2021, the EU has imposed 145 fines for violation of the General Data Protection Regulation (GDPR).  The largest fine was €2,600,000 or $3,000,000. In the United States in 2020 there were over 1,000 data breaches that exposed over 155 million records.  Many of these breaches were due to vulnerabilities exposed by unaddressed technical debt.  Privacy debt is now the new technical debt and its impact can be disastrous.

Some Examples of Recent Privacy Breaches

The Epik Breach

On September 13, 2021, hackers identifying themselves as a part of Anonymous posted that they had gained access to large quantities of Epik data, including domain purchase and transfer details, account credentials and logins, payment history, employee emails, and unidentified private keys. Over 180 gigabytes of data were compromised.

“Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.”

TechCrunch

The Kayseya Ransomware Outage

On July 3, the REvil ransomware affiliate program began using a zero-day security hole (CVE-2021-30116) to deploy ransomware to hundreds of IT management companies running Kaseya’s remote management software — known as the Kaseya Virtual System Administrator (VSA). As reported by KrebsonSecurity

“According to this entry for CVE-2021-30116, the security flaw that powers that Kaseya VSA zero-day was assigned a vulnerability number on April 2, 2021, indicating Kaseya had roughly three months to address the bug before it was exploited in the wild.

Also on July 3, security incident response firm Mandiant notified Kaseya that their billing and customer support site —portal.kaseya.net — was vulnerable to CVE-2015-2862, a “directory traversal” vulnerability in Kaseya VSA that allows remote users to read any files on the server using nothing more than a Web browser.

As its name suggests, CVE-2015-2862 was issued in July 2015. Six years later, Kaseya’s customer portal was still exposed to the data-leaking weakness.

Alex Holden, founder and chief technology officer of Milwaukee-based cyber intelligence firm Hold Security. Holden said the 2015 vulnerability was present on Kaseya’s customer portal until Saturday afternoon, allowing him to download the site’s “web.config” file, a server component that often contains sensitive information such as usernames and passwords and the locations of key databases.

“It’s not like they forgot to patch something that Microsoft fixed years ago,” Holden said. “It’s a patch for their own software. And it’s not zero-day. It’s from 2015!”.

KrebsonSecurity

The Colonial Pipeline Ransomware Attack

On May 6th the cybercrime gang called DarkSide stole over 100 gigabytes of data from the Colonial Pipeline Company. The next day they encrypted Colonial’s data and demanded a $4.4 million ransom to release it.  It was the largest cyberattack on an oil infrastructure target in the history of the United States. Colonial had to shut down its pipelines that provided over 45% of fuel to the East Coast of the United States.  Colonial paid the ransom, but later the Department of Justice was able to recover $2.3 million.

According to Reuters:

“Colonial Pipeline Chief Executive Joseph Blount told a U.S. Senate committee that the attack occurred using a legacy Virtual Private Network (VPN) system that did not have multifactor authentication in place. That means it could be accessed through a password without a second step such as a text message, a common security safeguard in more recent software.

“In the case of this particular legacy VPN, it only had single-factor authentication,” Blount said. “It was a complicated password, I want to be clear on that. It was not a Colonial123-type password.”

Reuters

The trend towards Anything-As-A-Service has even extended to phishing and ransomware.  According to Elizabeth Montalbano of ThreatPost:

“Microsoft uncovered a large-scale, well-organization and sophisticated phishing-as-a-service (PhaaS) operation. The turnkey platform allows users to customize campaigns and develop their own phishing ploys so they can then use the PhaaS platform to help with phishing kits, email templates and hosting services needed to launch attacks.

BulletProofLink—also known as BulletProftLink or Anthrax by its operators in various websites, ads and other promotional materials–provides a starting point for people without significant resources to get into the phishing business.

The group has been active since 2018 and maintains multiple sites under aliases. The group leverages services such as YouTube and Vimeo offering instructional videos, advertisements and promotional materials. It is known to hawk their wares on a plethora of underground forums, researchers said.

While previously, criminals who wanted to launch these attacks had to build phishing emails and brand-impersonating websites on their own, “the phishing landscape has evolved its own service-based economy,” researchers said. Now attackers can just purchase all the resources and other infrastructure they need to launch phishing attacks without investing a lot of time or effort, researchers said.”

Reuters

The Rise of Cyber Attacks and the Vulnerability of B2B Payments

The pace of cyberattacks continue to accelerate:

History pf cyber vulnerabilities
SecurityIntelligence

B2B Payments Are Especially Vulnerable

In the U.S. alone, there were 26.8 billion ACH payments in 2020.  It totaled over 61.9 Trillion dollars in debits and credits.  Electronic payments are now the majority in the B2B world.

% B2B payment types
InsideIntelligence.com

I have lived in Costa Rica as a digital nomad since 2018.  I run a small consulting business focused on enterprise product management and M&A.  Out of the dozens of engagements I’ve conducted over the past three years I have only been paid by check once (a fee from a law firm deposing me as an expert witness in an M&A case).  All of the other payments were by ACH transfers, PayPal, or TransferWise.  If my flow of electronic payments was disrupted, I would be screwed.

How Can Product Managers Deal With Privacy Debt

First, product managers should acknowledge that there is a problem and it is serious.  You don’t want to be Tim Blaszak who is the VP of Product Management Kaseya and have to explain to your CEO why you didn’t prioritize fixing a known vulnerability from 2015 the day after the vulnerability damaged your company’s reputation.

You should consider a simple five-step process:

Privacy debt remediation process
DevelopmentCorporate

Raise Awareness of Privacy Debt

Perhaps the biggest challenge you will face is raising the visibility and urgency of privacy debt in your company.  A natural reaction from most executives is “This couldn’t happen to us!”  Arm yourself with stories of privacy debt issues.  Pull copies of your company’s firewalls and share just how many random attacks happen.  I guarantee it will be a lot more than anyone expects.  Collect and share stories of how executives lost their jobs after a preventable breach occurred.  Remind everyone that they don’t want to be like Tim Blaszak from Keseya that had to have his CEO go on national TV to explain that the breach was not too serious.

Inventory Potential Financial Vulnerabilities

Ideally, you would like to inventory all potential privacy debt vulnerabilities.  Begin by focusing on ones that have a direct financial impact on your business.  This could include billing systems, payment systems, etc.  If your company accepts credit cards, you can start by looking at the most recent PCI DSS audit report. If your company is public, you can start by looking at the reports that support the CFOs and CEOs Sarbanes Oxley 302 add 404 certifications. If your company is not public, your investors/board may require an annual audit of your financial statements.  Often these types of audits also cover internal controls.

Whatever your situation is you should develop a comprehensive list of potential financial privacy data vulnerabilities.  You should periodically (monthly/quarterly) update the list with vulnerability resolutions and newly discovered vulnerabilities.  This should be an ongoing process, not just a one-time event.

Assess Vulnerabilities and Risks

Once your inventory is complete, assess your vulnerabilities and risks.  The sad fact is almost every company does not have the resources needed to resolve every vulnerability.  Priority choices have to be made.  You can use a matrix like this to establish the risk and priority levels for your company:

how to categorize privacy debt
CrisisMapper

Develop & Implement Remediation Plan

The next step is to develop and implement a plan to remediate the vulnerabilities.  From a product management perspective, this means adding specific remediation items to your product’s backlog.  Treat them like you treat Non-Functional Requirements. Efrain (Frank) Velazquez presents an excellent approach in Handling Non-Functional Requirements in Agile Projects that combines user stories and acceptance criteria. To learn more about balancing features versus technical debt check out Product Manager’s First World Problems: Features or Outages?

You need to treat privacy debt just like you treat technical debt.  Privacy debt is just a type of technical debt.  Unfortunately, it can have a significant business impact.  At the beginning of your privacy debt remediation efforts, privacy debt remediation may require higher prioritization than regular technical debt.  Over time as the debt load decreases, it can share the same priority as regular technical debt.

Regularly Report on Privacy Debt & Remediation

Establish a regular cadence of reporting on privacy debt and remediation.  One of the challenges you face at the beginning of this process is making people aware of the amount and severity of privacy debt.  Regular reporting on privacy debt and remediation levels will help keep privacy debt front of mind.  It will help celebrate the small victories of your remediation efforts and help your company be safe for the long term.

Summary

Product managers deal with technical debt all the time.  They make priority decisions each sprint whether to build a feature or retire some technical debt.  Privacy debt is the new technical debt.  Privacy-related issues have become critical.  Barely a day goes by without some report of how a cyber attack has damaged a company.  Often these incidents can be traced back to not taking care of privacy debt in a timely manner.


Also published on Medium.