Sunday, November 20, 2016

The Future of Cybersecurity

Jim Routh is one of our industry's visionary leaders.  I always enjoy listening to him and his vision of the direction of our profession.  Recently, I had occasion to discuss Jim his thoughts on the future of cybersecurity; he placed those thoughts in a white paper which you can find here.

Definitely worth your time.  Enjoy!!

Wednesday, November 16, 2016

Cybersecurity and the Board of Directors

Over the past three weeks I’ve had occasion to attend three separate events all focusing on cybersecurity and the Board of Directors (BoD).  Two events were multi-day events;  the third was a webinar.  The target audiences for these events varied from current board members to future CISOs

Several themes emerged from those events that are worth sharing:

1. It’s an Understanding Barrier, not a Language Barrier.  Over the past decade security professionals have been encouraged to speak “the language of the business.  After attending these events I have become more convinced that it’s not the presence of a common language but an erroneous assumption of understanding that is impeding communications.  When a security professional says things like “malware,” “darknet,” and “distributed denial of service attack” we believe that there is at least a rudimentary understanding of the term.  Not the technical aspects, mind you, but at least the basics of what the term means re: impact to the business.  This is not the case.  In one of the events that was geared toward board members, the security presenter spent the bulk of the time explaining the difference between a phishing attack and a DDoS attack.  The executives present – all of whom sit on boards of directors – were extremely grateful to the very rudimentary explanation.  Terms that my most teenagers know today are so foreign to most BoD members that it is almost impossible for them to see the linkages between these threats, the existing risks, and the proposed actions.  One BoD member for a well-known restaurant chain  put it this way: “I know more about cuts of meat and purchasing produce that I ever thought I would know at 40.  My five year old probably understands more about cyber than I do, though.”  Security professionals would be well served to find ways to provide rudimentary education to their BoD members and their executives prior to risk decisions being made

2. Everyone Has A Story – and It’s Usually Not A Pleasant One.  At all three events, more than one person couldn’t help themselves and went down the rabbit hole of telling their story of the “horrible, clueless BoD member/CISO” that they had to deal with at one time or another.  We all know the pieces of this tragic tale:  either it’s the CISO who “interfered with business” to the point where executives cheered when s/he left, or it’s the “clueless CXO” who had a risk appetite of zero yet would not fund or support the initiatives necessary to mitigate risks – and worse, took no ownership of existing risks.  Both sides were frustrated and entrenched in their positions…to start.  It took the guidance and leadership of the instructor cadres at these events to move the groups towards solutioning instead of griping.  In our everyday lives, we need to do the same within our organizations.

3. The Threat Is Real.  It Is Also Existential.  Even if we do everything correctly, the looming threat of an exposure or breach will always be there at a not insignificant level.  Security professionals who persist on discussing innocuous threats with qualitative risk measurements in order to justify solutions must still grapple with the reality that their efforts will not offer the guarantees that executives would prefer to hear.  The key discussion, of course, should be one of risk appetite and risk management; unfortunately, to have that discussion organizations must place some level of valuation on non-tangible assets such as data and reputation.  

4. Come Together.  The most striking thing about these training events was the decided lack of commingling of executives and security professionals.  While there were were 1-2 exemplars of “the other side” at each event, none of these training organizations attempted to have both groups in the room together to learn from one another.  We cannot learn to communicate with one another effectively if we continue to isolate ourselves from one another as we discuss the same problems.

On the positive side, I admit being pleased with the majority of the content of these training events – and the fact that this training was occurring at all.  The recognition of the need to close the gaps between security and the BoD in order to address the challenge of cybersecurity is long overdue. Seeing organizations and individuals make a concerted effort at creating effective bridges gives me hope for the the future of our cyber awareness & cyber capability.

My two cents…

Thursday, October 27, 2016

Recruiting and Retaining Cybersecurity Talent

Last week I had the privilege os partaking in ISSA’s webinar regarding the current cybersecurity talent shortage.  I was part of a panel which included a recruiting agency as well as two former CISO discussing how we better identify, attract, and keep talent.  Lots of different (and insightful) perspectives were put on the table; if you’re a hiring manager within the security space, this is definitely worth your time.  Click on this link to access a recording of the webinar…and let me know your thoughts!

Thoughts on IoT Vulnerabilities

(Warning:  this post is a bit of a rant.  Proceed at your own risk :) )

The more things change, the more they stay the same.  This is the lesson we need to take from last week’s DDOS attack via (amongst other things) internet-of-things (IoT) devices.

Several years ago I gave a presentation on what I called the “Business Ideation Cycle” as pertains to security.  It goes something like this:

  1. The business has a “great idea” that’s highly innovative
  2. Business leaders discuss the benefits, costs, and risk…usually without security personnel present.
  3. The business leaders get approval to pursue their idea and select a vendor…again, usually without input from security
  4. Sometime between proof-of-concept and going into production – and usually due to the fact that approvals of some sort are needed in order to go live – security is notified of the plan and asked to approve
  5. Security personnel start to (gasp!) ask questions about the security ramifications.  They introduce risk concepts not solely related to profit and loss that are relevant to the implementation.  
  6. Business leaders complain to executives that security is “slowing things down” and “disrupting” business
  7. In the end, one of two things happens: (a) the business implements a “shadow IT” infrastructure to achieve their objectives; or (b) the implementation is modified to account for security
  8. Regardless of the decision in (7), the desired results which drove the innovative idea aren’t fully recognized or realized.  In the case of Shadow IT, this gap is usually because the rogue implementation cannot be fully supported and/or cannot be scaled appropriately.  In the case of a modified implementation, the modifications usually end up limiting some of the originally planned functionality
  9. In the end, the business needs to take a different path to achieve its revenue objectives…resulting in further ideation and a brand new “great idea.”

…and the cycle continues.  

This cycle has existed for decades, if not longer.  Many Warriors of the Light remember similar conversations around offshoring; outsourcing; laptops; WiFi; Bluetooth; and cloud-based services providers.  As security professionals we tell businesses that we want to support their ideas, but we need to be brought into the processes earlier in order not to be a disruption.  We tell our leaders that we are happy to assist in the deployment of this technology/solution/idea, but that our risk acceptance levels will (and must) change as we cannot guarantee the same risk levels as exist within the current operating model; and we diligently and rapidly clean up the messes that occur when we are not listened to.

While convenience and speed-to-market will always trump security in the minds of most businesses – and individuals – bolting on security as an afterthought is always more dangerous and more costly.  If the stories are to be believed regarding a default password hard-coded into the firmware of the vulnerable devices, this is something that any application security engineer would have raised as a red flag if the company had performed an AppSec review.  Instead, the company is now facing a recall of thousands of its devices as well as reputational damage – to itself and to the IoT industry as a whole.  We need to move closer to a model where “security by design” becomes a value-added differentiator versus just an inconvenience or a necessary evil.  

Security is not convenient…but it doesn’t have to be inconvenient if we factor in security considerations during the earlier phases of design – and throughout the entirety of the the development/ideation life cycle.

My two cents…


Thursday, October 20, 2016

Cyberwar Revisited

Over the past couple of weeks, I've had occasion to reflect upon the concept of “cyber warfare.”  On one occasion I found myself disagreeing with a member of the local cyber community when he said, “make no mistake we are at war." On another (more interesting) occasion I was speaking with a couple of law students who were discussing the possibility of redefining what “war” means in order to “deal with the new realm of cyberspace.”

 

The term war brings with it a certain amount of gravitas but with it also comes a plethora of baggage.  The only thing more dangerous, though, than misrepresenting something as “war” is to invent new terms for things that are already well defined – similar to our reinvention of “torture” as “enhanced interrogation techniques.”  (My father was water boarded as a POW in Korea; in his words, “torture” is the only accurate term to describe this practice). 


Rather than redefining “warfare,” mayhap it is time to use the existing lexicon to see where illegal acts in cyberspace accurately belong.  From a legal perspective, most activities have five basic components:

 

·        A subject or actor…

·        Takes an action…

·        Against a recipient or object…

·        With some intention…

·        Achieving some result.

 

It is the combination of all five of these elements that helps differentiate actions within any legal framework.  Intending to run down someone and kill them with your car, for example,  is premediated murder (assuming you succeed) but might only be involuntary manslaughter if no intent was there. 

 

When applied to nation-states, this legal calculus gets particularly interesting.  We must assume that all nation-states will act with the intention of furthering their own existence and/or prominence…which, by definition means the weakening of some of the other nation-states around them.  If this is indeed the case, then the question that arises is whether the actions – ANY actions – by one nation-state against another should be considered an act of war.  Should the signing of a diplomatic treaty between two nations which limits a 3rd nation’s access to a desired resource/capability constitute an act of war against that 3rd nation? Let’s hope not, as this would call into question every nuclear proliferation treaty currently in existence.  If a nation state uses its resources to infiltrate and sabotage part of a nation’s infrastructure-building efforts in order to maintain or achieve a certain advantage (either geopolitically or during a future kinetic war), is that act itself an act of war?  Again, if it is then our participation in the Stuxnet attack against Iran in 2010 is tantamount to a declaration of war versus an act of espionage.

 

My point is this:  while the attack surface is vast and the weapons are different – and can be frightful – leaping to terms such as “warfare” and/or redefining acts of espionage as “war” are inappropriate solutions to addressing acts of malfeasance in cyberspance.   Make no mistake:  I do  believe that certain nation-state actors are indeed trying to limit if not destroy US influences and interests in the world…just as I believe that we have similar objectives when it comes to some of our more powerful (and more contentious) world neighbors.  Weighting this actions, though, with the baggage of “war” carries with it the spectre of unintended consequences…

 

…similar to those we might experience during the next kinetic war when a US soldier is tortured and our enemy responds that they were only using “enhanced interrogation techniques.”

 

My two cents…

 

Sunday, October 16, 2016

Ending the Hiatus


You never know the impact of what you're doing until you stop doing it.

Today is the 290th day of the calendar year.  I haven't posted a single entry to this blog during 2016.  Not because I had nothing to say...but, rather, because I found myself in transition once again.  

I thought my absence from the blogosphere would go unnoticed;  it has not.  Over the past several months folks have approached me (via email and in person) re: my absence.  Many of my friends were concerned that there was something wrong with my family or my health.  Indeed, nothing could be further from the truth.  My wife's third novel has been out for some time, and she is currently under contract to write three more.  My son is graduating college in less than 90 days...

...and as for me, I've gotten to start third career about a dozen years sooner than I had hoped :)

Click on this link to get a sense of what I'm doing/building today.  Meanwhile, expect to hear from me via this blog on a much more consistent basis.

Thanks to all for the good wishes, the support, and for the expressions of concern;  they are appreciated more than you know.  

Namaste...