Tuesday, June 23, 2015

Fitbit Data Helps Disprove Rape Claim

I know, I know...not the typical headline you expect to see on a security topics blog.  Bear with me for a bit, though...

Last March a woman name Jeannine Risley called 9-1-1 alledging that a man in his 30s  had broken into the place she was staying, woke her,  and raped her.  Police found overtuned furniture, a vodka bottle, and a knife on the scene when they responded.  Still, something didn't seem right about the story (example:  there was fresh snow on the ground and there were now footprints in the snow leading to the house) so they kept investigating.  As part of the investigation, police requested that Mrs. Risley provide them the Fitbit device that she was wearing so that they could analyze the data.  Sure enough, the Fitbit data proved that Mrs. Risley was awake and walking around during the period where she claimed to be asleep.  This, combined with other evidence, provided sufficient cause to charge Mrs. Risley with several misdemeanor offenses.

As one might imagine, it is use of Fitbit data that has propelled this matter to the national stage.  As those in our profession have stated far too often, once individuals place data "out there" it is nigh impossible to restrict its use.  Mrs. Risley willingly wore a device designed to track and record her activity;  it should not be surprising to anyone that that same data could be used to prove or disprove the commission of an unlawful act. While it's doubtful that this one case will spark a substantive ripple in the push for wearable technologies or an expansion of the Internet of Things, we might finally begin to see some chatter outsite of our own professional circles about the privacy and legal implications of an uber-networked society -- to include protecting the data collected from from unauthorized alteration.

My two cents.  Click here for a quick link to the original story.

Monday, June 8, 2015

Security IPB

For the past 6 weeks I have been listening to the rumbles and fallout of the RSA conference…
 
…no, that’s not quite correct. It’s not been the fallout from the conference itself, but of the gauntlet thrown by RSA’s new president, Amit Yoran.
 
In his keynote address, Amit called out the security industry for its “dark ages” approach to the problem of security, laying out 5 tenets for navigating the terrain of today's new security battlefield. While I was not in attendance at RSA this year (San Francisco for a conference or the Caribbean for my wife's birthday? Hmm…) , I read both the RSA press release and a transcript of the address in the days after the event.
 
I am wholeheartedly supportive of Amit’s overall message regarding the need for both the security industry and the security profession to adjust their thinking regarding the problem and the fight. Should we fail to make such an adjustment, we will continue to be viewed as an obstacle to success, an impediment to revenue…and, should we continue to fail in our perceived mission, we risk being viewed as an ineffective drag on profitability. That being said, as the profession reaches to pick up the gauntlet that Mr. Yoran has thrown, it is important to understand the full context of the battlefield on which we fight. Amit pulls upon his experience as a West Point graduate and former military officer. As another graduate and former military officer, allow me to continue the analogy by doing some old-fashioned “intelligence preparation of the battlefield (IPB)” and take a deeper look at some of the battlefield conditions we face daily.
 
1. We need to preach to masses, not to the choir.  “Let’s stop believing that even advanced protections work. No matter how high or smart the walls, focused adversaries will find a way over, under, around, and through.” My first thought when I read this statement was, “Preach it, brotha!” Every board member and every executive I meet when I take a new job wants to know that they are “safe.” I spend much of my time during the first 30 days of any new gig reminding executives that as long as they are open for business they will never be completely invulnerable. My next thought around this point, though, was to hope that members of the security industry (those professionals who create and market the wonderful tools, technologies, and services we all use) and not just the security profession (in house personnel currently working to protect an organization’s resources) heard what Amit was saying. While it remains true that any professional who thinks they can make an enterprise invulnerable needs a wake-up call, it is equally true that members of the security industry also need to stop making promises of nirvana and panacea -- and not just to us, but to those around us who can influence purchasing. How many of us continue to have to address the CFO, CIO, or CEO who “just talked to XYZ Vendor and they said we can’t be compliant/secure/grow hair/stop global warming without their product?” Indeed, as C-level security professionals are increasingly weaving a story of managed risk and potential vulnerability, the security industry has begun to find points of entry into the enterprise that do not involve us. Amit alludes to such promises being made during his address, but this point should not be glossed over as it is a contributor to some of the challenges we face daily whilst attempting to secure the enterprise.
 
2. There is a cost associated with visibility – and that cost exists outside of the security budget.  Amit advocates “a deep and pervasive level of true visibility everywhere -- from the endpoint to the network to the cloud.”  He goes on to describe true visibility as including things such as full packet capture; endpoint compromise assessment visibility; and a detailed understanding of which systems are communicating with which, and what’s being communicated. Many security professionals are faced with the every-present quandary of obtaining complete, detailed, and accurate data flow diagrams within older, multi-faceted enterprises. In many cases (except in heavily regulated spaces), these diagrams do not exist until security personnel ask for them -- and when provided, their accuracy levels tend to be suspect. Further, assuming the data flows exist, the level of potential increase in bandwidth and horsepower on the network and the systems themselves in order to provide “true visibility” may be punitive and/or force systems upgrades and unexpected costs within the IT organization. (Think I’m kidding? How many of you reading this article have been told that “turning auditing on for <insert system here> will kill the server/bog down the application/consume too much bandwidth?”)
 
3. You can’t ignore the rest of the I-AAA equation.  Amit rightfully discusses the importance of Identity and Access “[i]n a world with no perimeter and fewer security anchor points.”  Let us remember, though,  that there are two other A’s to the I-AAA equation and at least one of them is of equally (if not more) critical importance in the current terrain: Authorization. Pop quiz, everyone: raise your hand if you can, with 100% certainty, guarantee that you know exactly the privileges and roles for absolutely every system and person in your organization AND that they are 100% complete, accurate, and appropriate. I'm not talking about the quarterly signoffs that organizations do in lieu of the in-depth visibility that Amit is referring to, but rather a detailed role mining and mapping of every system and every application in the enterprise to a meticulous level of detail that ensures entitlements are tight and accurate. 
 
Most mature enterprises struggle with I-AAA over time. Unless the organization has either (a) taken the opportunity to maintain entitlement and role accuracy throughout its life cycle, or (b) invested the time (and not insignificant dollars) to do the detailed analysis and mapping, the result is a level of blindness to entitlements which is a (if not the) major contributor to security professionals maintaining a border-centric outlook. If I don’t know who you are and/or whether where you are allowed to go is appropriate, then the easiest solution is to build a wall and limit the entries/egresses to the castle. Cleaning up the authorization problem requires a level of (expensive) buy-in from IT and the organization as a whole. Many organizations do not see the criticality of such an expense yet still wish for the flexibility of a borderless environment…placing the security professional in the awkward position of appearing to be a Luddite and an inhibitor to the business or weakening (if not eliminating) the ROI associated with borderless cloud-based operations.
 
4. Asset categorization, to be useful, requires a depth of understanding of the enterprise and data flows. In most organizations, at least part of the assets considered to be critical and/or high value would be data. Strongpointing your defenses around critical assets which house the data is a good start…but it also means controlling who has access to that data and the systems which communicate to/from that critical asset. In other words, in order to effectively accomplish Point 5 of Amit’s 5-point plan, Points 2 (deep visibility) & 3 (strong identity & access) need to be accomplished first.  Again, these objectives will require buy in and expense outside of security’s bailiwick in order to succeed.
 
Amit Yoran’s call to arms is one that is timely, accurate, and well needed…as far as it goes. Yes, security professionals need to look at the problem differently and more holistically, but I would also contend that many (most?) C-level security professionals. already do this and are actively educating our teams and constituents appropriately. The challenge, however, in operating in a manner reflective of a proper mindset is to change the conditions of the battlefield upon which we engage. The security profession continues to refine our language and our metrics to discuss the causal relationships between incomplete data flow analysis, I-AAA concerns, and the increased risks of tearing down borders -- with mixed success. The border is effectively dead, yes…but security professionals cannot maintain comparable levels of risk to the enterprise if we tear down the borders without addressing the areas in Amit’s five-point treatise. This requires those we serve to (a) prioritize the efforts necessary to allow the depth of insight into the enterprise necessary to manage risk in a borderless world, and (b) accept the fact that regardless of this level of detail we will be compromised to some extent. 
 
(Let’s not forget, either, that the security industry will need to continue evolving its toolset and its message, to include delivering this same message to the Boards of Directors and chief technologists whom we serve and eschewing discussions about security which do not include members of the security team.)
 
Understand that I offer this analysis not as an excuse for inaction but rather as a completion of the treatise offered by Mr. Yoran. Throwing away the old maps, as Amit suggests, is important…but equally important is acknowledging the limitations of the terrain upon which we Warriors of the Light do battle every single day (even as we struggle to modify the terrain to suit our needs).
 
Amit has thrown down a gauntlet to the security industry and the security profession alike; however, I believe what he will find is that many of us picked up this gauntlet many moons ago and are already fighting the good fight.

Welcome to the line, Brother Amit. Your shield, your sword arm, and your voice are more than appreciated.

My two cents…