Cybersecurity Organization and Breach at Aliceo Inc

Overview of Aliceo Inc and its Business Units

Aliceo Inc. is a consumer credit ratings agency. Founded in 2000, the company competes and is similar in size to other consumer credit ratings agencies likeEquifax, TransUnion and Experian. The company is headquartered in Baltimore, Maryland, and has 10,000 employees, mostly in the Baltimore and Washington D.C. area, but also in New York, San Francisco, London, Toronto, Hong Kong and Buenos Aires. The company has five lines of business:

• a “Merchant Services” organization, which provides creditworthiness information to corporate clients and tracks credit scores;

• a “Consumer Services” organization that sells credit monitoring and alert services to consumers;

• a “Government Services” organization that provides credit checks for government workers;

• a “Mortgage Services” business which works exclusively with mortgage providers; • and a “Core Organization,” which is comprised of functions like human resources, legal, regulatory compliance, the chief executive office, technology and the cybersecurity organization

The company only has 20 full-time cybersecurity employees, 15 of whom are based in a Security Operations Center in Baltimore and three of whom are based in London. There is one employee each in Toronto and Hong Kong. The company outsources functions like onboarding and offboarding employees (known collectively as “Identity and Access Management” and “Data Loss Prevention”) to an organization called Reconizant. Reconizant also provides the company with services like clean-up and crisis management in the event of a breach. 

Aliceo Inc. also has a structure of “Business Information Security Officers” or “BISOs” scattered throughout the five lines of business. Each of these representatives is responsible for leading security initiatives in his or her respective line of business, while focusing on the unique challenges within that business unit. There are 25 BISOs in all, five for each line of business representing different business teams. The BISOs are not accountable to the Chief Information Security Officer (CISO), who serves as the head of the cybersecurity organization. Instead, they report to the heads of their own respective lines of business. 

Aliceo Inc. has a CISO named Mike Lewis. Lewis reports to the company’s Chief Information Officer (CIO),

Penny Newman, who in turn reports to the Chief Executive Officer (CEO), Paul Rubio. Lewis also has a “dotted line” reporting structure to the company’s Chief Legal Counsel, Teri Malley. This means that while he does not officially report to Malley, he is accountable to the legal office as well as the CIO office.

Today (Day One), Lewis’s staff has informed him that the U.S. Computer Emergency Respons e Team (USCERT), a division of the Department of Homeland Security, has released a critical security patch to an application framework called “Rhododendron.” An application framework provides the underlying technology infrastructure for building other applications and databases, thus running common corporate functions. At Aliceo Inc., Rhododendron is used heavily throughout every line of business. 

Cybersecurity Structure at Aliceo Inc

Lewis’s staff report that the flaw affecting Rhododendron is significant and will need to be patched immediately. 

Confirming this, Lewis receives a call from Malley informing him that legal heads at several large banks have alerted her to the problem, and demanded Aliceo Inc. immediately patch the vulnerability. The banks also are patching the flaw, and are subject to severe regulatory restrictions, including through their relationship with Aliceo Inc. if the flaw is left exposed. This is because if it is exploited, the Rhododendron vulnerability could give a criminal easy access to large databases of unencrypted personal information, including social security numbers, mortgage applications, s cans of driver’s licenses and passports. 

Lewis orders his staff to immediately patch the problem. He does this by sending a memo through the network of BISOs via email describing the problem, the urgency of it and the need to patch the issue immediately even if the business leads protest. The BISOs immediately order their line-of-business teams to begin following the patching procedure.

Some of the BISOs experience pushback from their business partners. In the Merchant Services line-ofbusiness, the health care team complains that the patching will cause too much disruption, as they are in the middle of an important trade show. The Health Care BISO agrees to patch the Rhododendron problem in the evening, so their show is not disrupted. 

In the Mortgage Services line, a team responsible for servicing a special Veteran’s mortgage program complains that the patching process will lead to the delay of several customers’ home closing dates. The Veterans Mortgage Services BISO insists, explaining that if the system is not patched, those veteran clients may have their personal information put at risk. The Veterans Mortgage executives finally agree to the patch.

In the Consumer Services business, the Complaint Resolution group says the delay will make a huge backlog of complaints even worse. The head of the Complaint Resolution group, Stacy Yoo, argues forcefully with the Complaint Resolution BISO, Nick Figaro,who agrees to delay the patching by one month so the group can clear its backlog. Of the 25 groups in the company overseen by BISOs, only the Complaint Resolution group’s systems will go unpatched.

Once new projects take their attention away from Rhododendron, Yoo and Figaro forget about the patch and never complete the emergency patch project. Thinking his memo was sufficient and seeing the majority of BISOs taking immediate action, Lewis does not follow up with the BISOs to confirm the patch has been completed. The CIO and General Counsel also do not follow up about the patch. Not wanting to bother CEO Rubio with small technology matters, nobody informs him at all about the vulnerability or patch program. 

Rhododendron Vulnerability and Patching

For your consideration:

1. What are some of the strengths and weaknesses of the organizational structure of cybersecurity at Aliceo Inc.?

2. What could the CISO have done better in terms of communicating to the BISOs? Do the legal counsel and CIO also have a responsibility to communicate? To whom? 

One month has passed since the Rhododendron patching project. At the Security Operations Center in Baltimore, a cybersecurity analyst named Drew Konovsky receives a phone call from a team at the security outsourcing organization Reconizant. Konovsky is a junior employee who is responsible for monitoring corporate network for potential breaches using alerts the company receives from several different monitoring software programs, as well as from third parties like Reconizant.

“We detected that the credentials for an employee based in Buenos Aires were being used to log into a computer in mainland China,” the Reconizant employee says. “We thought it was suspicious. We wanted to let you know. The employee’s name is Catalina Garcia. She works in the Core Organization, i n human resources for South America.” 

Konovsky follows up on the report by researching the internal movements of Garcia. He finds that not only has Garcia apparently been logging in from several different, suspicious locations, but she has somehow managed to go into and remove – or “exfiltrate” – data from the Consumer Services group, specifically from the Complaint Resolution group. Konovsky asks two other analysts to help him research the possible breach.

They further discover that Garcia appears to have been able to gain extremely deep access into sensitive Complaint Resolution databases, which include hundreds of millions of private consumer credit reports. Further, Garcia appeared to be removing the information one gigabyte at a time, just shy of the “tripwire” level set up by the cybersecurity team to alert them to unusually high exfiltration activity. 

While examining the Complaint Resolution infrastructure, Konovsky conducts a scan to look for vulnerabilities. He discovers the Complaint Resolution database was never patched for the Rhododendron flaw. Konovsky looks up more information on Garcia. He sees that she was a newly hired employee, and was part of a college recruitment program. She works in the HR organization as a recruiter. She has lots of information available publicly on social media, including deep details about her role. In one social media image, she is holding up her Aliceo Inc. work badge and smiling to celebrate her first day in the new role. Her unique, private work ID login number is clearly visible in the image. 

Based on this information, Konovsky determines that Garcia has most likely had her credentials stolen. A malicious actor was then, he theorizes, somehow able to exploit the Rhododendron flaw to gain deep access to consumer databases. This activity has been ongoing for about three weeks, Konovsky estimates, almost always in the evening hours, when there are very few employees monitoring the Aliceo Inc. networks

He immediately goes to CISO Lewis’s office to tell him what he has discovered. Lewis’s secretary, who has been instructed to make analysts schedule meetings because of Lewis’s busy schedule, tries to stop Konovsky. But, Konovsky insists it is important and bursts into Lewis’s office. 

Lewis is about to leave for his monthly 10-minute presentation with the CIO, waves him off angrily for the interruption. “Call Nick Figaro in Complaint Resolution. Tell him to fix it,” Lewis says. 

Lewis goes to his meeting with CIO Newman which is focused on increasing the cybersecurity team’s budget for the new fiscal year. Lewis does not brief the CIO on the potential breach. 

Forr your consideration:

1. Could Konovsky have approached the situation better, or was his sense of urgency appropriate?

2. How should Lewis have responded?