March 26th marked the 14th anniversary of the launch of the Melissa virus. This virus replicated itself through email and spread like wildfire, quickly clogging email servers (and bandwidth) in business and government institutions alike. For this, Melissa has the distinction of being the first self-replicating email worm.
You can read more about the worm and its author here.
Sunday, March 31, 2013
PCI Goes to Court
Genesco has petition the courts to reimburse it for over $13 million in fines and penalties collected on behalf of Visa by payment processors following a 2010 data breach
at the Tennessee-based sports retailer. The heart of the case seems to center around contractual languageregarding what constitues noncompliance for the sake of levying fines and penalties.
While it is doubtful that the outcome of the court case will set the PCI standard back on its heels, it does have the potential to cause a minor tremor throughout the PCI community for a couple of reasons:
You can read the full article here. Enjoy!
While it is doubtful that the outcome of the court case will set the PCI standard back on its heels, it does have the potential to cause a minor tremor throughout the PCI community for a couple of reasons:
- The fine schema by the card processors for breaches appears (note word!) to be inconsistent. As the article points out, Mastercard hit Genesco up for $2 million in fines for the same data breach that Visa asked for $13 million. This may or may not be an indicator of the ratio of card numbers/accounts that were exposed.
- If Genesco can credibly demonstrate that it was, indeed, in compliance with the PCI-DSS at the time of the breach then it may (again, note word :) ) cause folks to awake to the notion that PCI compliance does not mean that an organization is secure. If this happens, then retailers and merchants may question the validity of the standard only insofar as pertains to the fines and penalties levied by the card brands. If this occurs, it could open the floodgates regarding more sharing of the pain around data breaches between merchants, payment processors, and the brands themselves.
You can read the full article here. Enjoy!
Sunday, March 24, 2013
California State Senator Pushing for Warrants for Email Searches
Earlier this week, California state senator Mark Leno
introduced a bill which would require all law enforcement agencies operating
under the state’s jurisdiction to receive a warrant before reading the email of
private citizens.
Under the provisions of the Electronic Communications
Privacy Act of 1986, law enforcement agencies can request access to emails that
have already been opened by the intended recipient or have been stored on servers
for more than 180 days. While these
provisions seemed reasonable at the time of passage, they fail to take into
account the massive amounts of online storage available via email providers
today. Worse, depending upon the backup
regimens of the email provide an email deleted by the individual user might
still be available via an online backup share for quite some time. Again, the ECPA is not quite as clear on this
point as it might be.
Lest you think this movement is limited to
California, there were additional reports this week that there appears to be
consensus building re: modifying the ECPA at a national level. In a hearing held on 19 March by the Judiciary
subcommittee on Crime, Terrorism, Homeland Security and Investigation, Rep. Jim
Sensenbrenner (R-Wis.) said that only requiring a subpoena instead of a warrant
to access emails is "outdated and probably unconstitutional." Of course, believe that a law needs to be
amended and making pronouncements to that effect is markedly different than
deciding how to amend the law or agreeing on a timetable for action.
Wednesday, March 20, 2013
Hacker Sentenced to 41 Months for AT&T/iPad hack
A federal judge has sentenced Andrew Auernheimer
to 41 months in prison. Auernheimer exploited a security flaw in
AT&T's iPad registration scheme in order to download contact
information for thousands of iPad users. In addition to prison time, Auernheimer will be subject to three years of supervised release has been ordered (along with a co-defendent) to pay AT&T
$73,000.
I admit that I have been surprised by the amount of mainstream press this sentencing has gotten. One one side, Auernheimer is portrayed (accurately) as a unrepentant hacker who is milking his 15 minutes of fame. On the other, folks are questioning both the interpretation of the relevant law (The Computer Fraud and Abuse Act of 1986) as well as the appropriateness of the sentence handed down -- especially in light of the recent sentencing of two Ohio teens in a highly-publicized rape case.
You can read a quick summary of the Auernheimer case here.
I admit that I have been surprised by the amount of mainstream press this sentencing has gotten. One one side, Auernheimer is portrayed (accurately) as a unrepentant hacker who is milking his 15 minutes of fame. On the other, folks are questioning both the interpretation of the relevant law (The Computer Fraud and Abuse Act of 1986) as well as the appropriateness of the sentence handed down -- especially in light of the recent sentencing of two Ohio teens in a highly-publicized rape case.
You can read a quick summary of the Auernheimer case here.
Cyber Election Fraud in Florida
Earlier this week, NBC reported that an attack against a Florida website resulted in the first known case of online election fraud in the US. According to a grand jury report on irregularities in the August 2012 election, someone created a computer program that "automatically, systematically, and rapidly" submitted over 2,500 "phantom requests" for absentee ballots to a Miami-Dade County elections website in an attempt to skew election results. While this was not the only fraudulent act that occurred during the election, it is still a milestone that is worth noting :)
You can find a full copy of the report here. Enjoy!
You can find a full copy of the report here. Enjoy!
Saturday, March 16, 2013
Facebook "Likes" Can Reveal Personal Information
A recent article on CSOOnline.com reviews a research project conducted at Cambridge University. In this project, researchers were able to predict several personal characteristics (race, ethnicity, sexual orientation, religious affiliation, etc.) based upon a detailed analysis of Facebook "likes." The overall point being made by researchers is to demonstrate how seemingly innocuous yet publicly available digital data can reveal more about you that you might think. A pretty powerful teaching point for use in your SETA programs :)
A copy of the study may be found here, and is also linked off of the CSO magazine article. It's a very short read...enjoy! Oh, and take a moment to dig into Table S1 of the research article; it lists some of the most common "likes' which were most revealing of personal traits/characteristics. While some were fairly obvious, a few raised my eyebrows.
A copy of the study may be found here, and is also linked off of the CSO magazine article. It's a very short read...enjoy! Oh, and take a moment to dig into Table S1 of the research article; it lists some of the most common "likes' which were most revealing of personal traits/characteristics. While some were fairly obvious, a few raised my eyebrows.
Friday, March 15, 2013
Vulnerabilties in Security Appliances
Recent articles published in CSO Online and Computerworld are referencing a report by NCC Group which casts light on the vulnerabilities and security flaws which exist in many computer appliances. NCC's research, which it released at Black Hat Europe 2013, revealed significant vulnerabilities in almost all security appliance prodcuts that were tested. These included vulnerabilities to:
I have posted a copy of the full NCC report here for those who are interested.
- Cross-Site_Scripting attacks
- Automated password attacks for SSH
- Unauthenticated detailed version disclosure
I have posted a copy of the full NCC report here for those who are interested.
Tuesday, March 12, 2013
Winn Schwartau Comments on RSA Conference
In a previous post I commented about how schlocky the RSA Conference had become. Apparently, I am not alone in my concerns. Click here to read an article by Winn Schwartau entitled The RSA Conference Expo Floor Offended Me - and Why I Blame the Exhibitors. Here's an excerpt...
'From "booth babes" to vapid marketing lingo to directionless conversations with vendor reps, one industry veteran wonders how information security professionals can take the RSA Conference showroom floor seriously.'
Let's hope the vendor community listens before next year...
Monday, March 11, 2013
Why Heroes are Bad
I came across an interesting article today on the topic of project heroism and why it can be bad for an organization. There are some really insightful points here for those of us who have built teams and organizations in our lifetimes.
Many organizations have heroes, building world class functional teams means equipping every member of the team for feats of heroism :) This can be hard for the heroes in your organization to accept, which may lead to turnover and painful conversations. As the article points out, in the long run this is a good thing.
Article is located here. Enjoy!
Many organizations have heroes, building world class functional teams means equipping every member of the team for feats of heroism :) This can be hard for the heroes in your organization to accept, which may lead to turnover and painful conversations. As the article points out, in the long run this is a good thing.
Article is located here. Enjoy!
Sunday, March 10, 2013
CyberSecurity Framework RFI
Hopefully, this is old news to everyone, but I'm still catching up after conferences and travel so i assume that others might be as well :)
In response to the presidential Executive Order on Improving Critical Infrastructure Cybersecurity, NIST has released an RFI in the Federal Register to gather initial information on the many interrelated considerations, challenges, and efforts needed to develop the Framework. Folks, this an opportunity to get involved in the shaping of cybersecurity withing the US. Too often we as professionals complain about legislators not understanding the problems we face and creating laws/regulations which are impractical as well as ineffective. This is our opportunity to at least minimize and potential negative outcomes from the Executive Order...if not to create something useful and game changing :)
The RFI may be found here; give it a read...and get involved!
In response to the presidential Executive Order on Improving Critical Infrastructure Cybersecurity, NIST has released an RFI in the Federal Register to gather initial information on the many interrelated considerations, challenges, and efforts needed to develop the Framework. Folks, this an opportunity to get involved in the shaping of cybersecurity withing the US. Too often we as professionals complain about legislators not understanding the problems we face and creating laws/regulations which are impractical as well as ineffective. This is our opportunity to at least minimize and potential negative outcomes from the Executive Order...if not to create something useful and game changing :)
The RFI may be found here; give it a read...and get involved!
"Opening Up a Second Front on Risk Management"
I had the pleasure of listening to Ron Ross of NIST speak on the concept of integrating cybersecurity requirements into architecture, engineering, acquisition, and the SDLC. While none of the concepts Dr. Ross speaks about are new to those of us who have been doing this for a bit, the presentation gives a good, multifaceted look at the problem and proposed a solutions framework based on the NIST documentation. Whether you are pro-NIST or anti-NIST, the presentation is worth a review. You can find a link to it here, compliments of Dr. Ross. Enjoy!
Mobile Security Vendor Analysis
Tuesday, March 5, 2013
What Would You Do If You Became CISO?
In Monday's Salted Hash blog, Bill Brenner sends us to look at a "man on the street" video taken at last week's RSA Conference. In this video, InfoSec practitioners are asked what they would do if they were made CISO tomorrow. There were many amusing answers ("fall off the wagon;" "party hearty"), but there were also some well thought out responses amongst the contributors. The thing that stuck me most about this video, though is that answer that missing: understanding your business and its business model.
As a profession, we have preached for some time about the importance of understanding the business when constructing a security program. One of my esteemed colleagues has even been quoted as saying that CISOs should "stop fiddling with the firewalls and go talk to the business" -- a sentiment with which I could not agree more. Yet despite our efforts on this front, a random sampling of respondents (which included two CISOs) taken at one of the largest security conferences in the nation failed to recognize obtaining business knowledge as one of the first things that a CISO needs to do when taking the Chair.
There's no secret to obtaining business knowledge, folks. Often it is merely a matter of making the effort. Here are a few approaches that I have found to be helpful over the years...
Ask Questions. Day One for me as a CISO usually starts with me getting on the calendars of every executive leader in the company. During these meetings my goal is neither to persuade anyone of the importance of the CISO job nor even to gauge who my allies and enemies might be; I am simply looking for the answers to three questions:
1. How does your portion of the company make money? In nonprofit organizations, the question can be rephrased as how do you provide service/how do you help the company meet its objectives? Understanding what the business leaders see as driving revenue/value helps you understand what is important to protect...and where disruption might be perceived negatively.
2. What keeps you up at night from a security perspective? What are the leaders really worried about? On every occasion, I find myself surprised by at least one item that is on the minds of the business. Keeping this item on your radar -- and solving for it -- can create momentum and buy in for other parts of your program.
3. What is the one thing I can do to help you from a security perspective? Yes, you'll get the "eliminate the firewall" and "just go away" answers from some; but you'll also get some fairly direct and meaningful answers from leaders who do want to figure out how you fit within their organization. Again, this is an opportunity to receive meaningful guidance on how to achieve operational "win-wins" as you implement your program.
Listen. Be open shuttered and passive. Don't assume you have all the answers. Remember that the business, no matter how vulnerable, has managed to survive (if not thrive) before you came on board. You don't have to agree with everything everyone says, but only by listening can you begin to understand their perspectives and points of view.
I start every new encounter by informing people that I know exactly two things: that my wife & son love me unconditionally, and that I could be wrong about everything else. Keeping this perspective throughout a conversation helps ensure that I stay focused on my colleague and on understanding their issues.
Buy Coffee and Lunch. Everyone has to eat sooner or later...and most people will give you more of their time over a cup of coffee or a meal. Taking the time to break bread (or caffeine) together can instantly begin go defuse a tense situation. Meal meetings occur on neutral ground (i.e., not in anyone's office) and can be a great opportunity to get to know one another beyond the work roles that we assume. This even rudimentary relationship building can go a long way in helping you integrate into the business environment as well as create opportunities for dialogue and cooperation.
My personal of rule of thumb is that I set aside $1000 for coffees and lunches out of my own pocket when I take a new CISO job. My objective is to spend the entire amount within the first 45 days meeting with executives, peers, team members, and other key business personnel. I contend that this is the best investment a new CISO can make in his or her success.
Make no mistake; these pointers will not mean a painless journey for a new CISO; there will always be those for whom your role is nothing but a necessary evil. That being said, remembering to focus on the business can make a hard road somewhat less bumpy...and mayhap even enjoyable.
As a profession, we have preached for some time about the importance of understanding the business when constructing a security program. One of my esteemed colleagues has even been quoted as saying that CISOs should "stop fiddling with the firewalls and go talk to the business" -- a sentiment with which I could not agree more. Yet despite our efforts on this front, a random sampling of respondents (which included two CISOs) taken at one of the largest security conferences in the nation failed to recognize obtaining business knowledge as one of the first things that a CISO needs to do when taking the Chair.
There's no secret to obtaining business knowledge, folks. Often it is merely a matter of making the effort. Here are a few approaches that I have found to be helpful over the years...
Ask Questions. Day One for me as a CISO usually starts with me getting on the calendars of every executive leader in the company. During these meetings my goal is neither to persuade anyone of the importance of the CISO job nor even to gauge who my allies and enemies might be; I am simply looking for the answers to three questions:
1. How does your portion of the company make money? In nonprofit organizations, the question can be rephrased as how do you provide service/how do you help the company meet its objectives? Understanding what the business leaders see as driving revenue/value helps you understand what is important to protect...and where disruption might be perceived negatively.
2. What keeps you up at night from a security perspective? What are the leaders really worried about? On every occasion, I find myself surprised by at least one item that is on the minds of the business. Keeping this item on your radar -- and solving for it -- can create momentum and buy in for other parts of your program.
3. What is the one thing I can do to help you from a security perspective? Yes, you'll get the "eliminate the firewall" and "just go away" answers from some; but you'll also get some fairly direct and meaningful answers from leaders who do want to figure out how you fit within their organization. Again, this is an opportunity to receive meaningful guidance on how to achieve operational "win-wins" as you implement your program.
Listen. Be open shuttered and passive. Don't assume you have all the answers. Remember that the business, no matter how vulnerable, has managed to survive (if not thrive) before you came on board. You don't have to agree with everything everyone says, but only by listening can you begin to understand their perspectives and points of view.
I start every new encounter by informing people that I know exactly two things: that my wife & son love me unconditionally, and that I could be wrong about everything else. Keeping this perspective throughout a conversation helps ensure that I stay focused on my colleague and on understanding their issues.
Buy Coffee and Lunch. Everyone has to eat sooner or later...and most people will give you more of their time over a cup of coffee or a meal. Taking the time to break bread (or caffeine) together can instantly begin go defuse a tense situation. Meal meetings occur on neutral ground (i.e., not in anyone's office) and can be a great opportunity to get to know one another beyond the work roles that we assume. This even rudimentary relationship building can go a long way in helping you integrate into the business environment as well as create opportunities for dialogue and cooperation.
My personal of rule of thumb is that I set aside $1000 for coffees and lunches out of my own pocket when I take a new CISO job. My objective is to spend the entire amount within the first 45 days meeting with executives, peers, team members, and other key business personnel. I contend that this is the best investment a new CISO can make in his or her success.
Make no mistake; these pointers will not mean a painless journey for a new CISO; there will always be those for whom your role is nothing but a necessary evil. That being said, remembering to focus on the business can make a hard road somewhat less bumpy...and mayhap even enjoyable.
Saturday, March 2, 2013
RSA Ramblings
So I’m sitting in my usual coffee haunt, trying to digest
the cacophony of sights, sounds, and information from this past week at the RSA
Conference.
I went to RSA this year primarily for two reasons:
Intelligence/Big Data. Big Data and the ability to derive security analytics and intelligence from the data reigned supreme on the vendor floor. It’s interesting, if you think about it for a bit. Years ago we claimed that the systems and tools weren’t generating enough data for us to see what was truly going on in our networks; once we created tools to generate the data, we quickly realized we have 150 fire hoses of data pointing at us, yet lacked the ability to extract relevant intelligence from streams of garbage. While it appears we are not focusing on that problem, we are still seeing the majority of our concerns (upwards of 70% by some counts) resulting from lack of patching of known exploits…something we don’t need a “big data” engine to fix.
APT. Mandiant’s report on China’s cyberespionageefforts created some additional “buzz” around APT in general prior to the conference, but did little to impress the security community. Nothing in the report was considered news to those who watch the space, and many of us expected that Mandiant was positioning itself well from a sales perspective prior to the conference. We cynics were proven correct when Mandiant used its report as a springboard to launch its Intelligence Center offering on Tuesday at the conference.
The Human Element. I was pleased to see the conference add a track devoted to human factors security; indeed, it is a recognition (finally!) that we as a profession have spent way too little time and energy focused on a critical portion of the people-process-technology triad. While some of the information (such as Lance Spitzner’s announcement of a new SecurityAwareness Roadmap) was truly insightful, I admit some disappointed in the fact that many of the presentations focused of problem definition versus offers of solution…and fixing awareness programs versus understanding the human element. Still, the fact that these discussions were occurring and that most sessions were packed should be viewed as a good sign overall.
Party Hearty. There were some wilder than usual stories re: some of the vendor parties that were being offered. In one case, a vendor hosted a party at a strip club for their clients this year! The Vegas over-the-top style of the conference appears to have set in in earnest. Disappointing, to say the least.
I went to RSA this year primarily for two reasons:
- I took a new CSO gig this year and had vendors nipping at my heels from day one. I figured I could get most of my vendor meetings out of the way in one fell swoop.
- It’s a good way to get my CPEs out the way for the year :)
Intelligence/Big Data. Big Data and the ability to derive security analytics and intelligence from the data reigned supreme on the vendor floor. It’s interesting, if you think about it for a bit. Years ago we claimed that the systems and tools weren’t generating enough data for us to see what was truly going on in our networks; once we created tools to generate the data, we quickly realized we have 150 fire hoses of data pointing at us, yet lacked the ability to extract relevant intelligence from streams of garbage. While it appears we are not focusing on that problem, we are still seeing the majority of our concerns (upwards of 70% by some counts) resulting from lack of patching of known exploits…something we don’t need a “big data” engine to fix.
APT. Mandiant’s report on China’s cyberespionageefforts created some additional “buzz” around APT in general prior to the conference, but did little to impress the security community. Nothing in the report was considered news to those who watch the space, and many of us expected that Mandiant was positioning itself well from a sales perspective prior to the conference. We cynics were proven correct when Mandiant used its report as a springboard to launch its Intelligence Center offering on Tuesday at the conference.
The Human Element. I was pleased to see the conference add a track devoted to human factors security; indeed, it is a recognition (finally!) that we as a profession have spent way too little time and energy focused on a critical portion of the people-process-technology triad. While some of the information (such as Lance Spitzner’s announcement of a new SecurityAwareness Roadmap) was truly insightful, I admit some disappointed in the fact that many of the presentations focused of problem definition versus offers of solution…and fixing awareness programs versus understanding the human element. Still, the fact that these discussions were occurring and that most sessions were packed should be viewed as a good sign overall.
Party Hearty. There were some wilder than usual stories re: some of the vendor parties that were being offered. In one case, a vendor hosted a party at a strip club for their clients this year! The Vegas over-the-top style of the conference appears to have set in in earnest. Disappointing, to say the least.
* * * * *
Leaving RSA, I found myself once again overwhelmed by how
underwhelming it was re: substance and vision.
As an industry and a profession I get more and more concerned that we
are using this conference (and others like it) to pat ourselves on the back, take
the time to mutually commiserate, or just promote the latest toy versus
utilizing the strength of our profession (and the collective vendor brands) to
solve the simple environmental problems which make up 70%+ of our threat
picture.
Keep your fingers crossed for next year…
Subscribe to:
Posts (Atom)