tag:blogger.com,1999:blog-9973152699129266322024-03-08T10:39:11.742-08:00Warriors of the LightAnonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.comBlogger84125tag:blogger.com,1999:blog-997315269912926632.post-22504815981543423302017-01-11T13:08:00.001-08:002017-01-11T13:08:43.729-08:00We're Moving!Happy New Year, all!<div><br></div><div>I am pleased to announce that the home of this blog is moving to a new address. Those of you who enjoy my periodic rankings was find me now at <a href="http://www.security2cents.com" id="id_3309_5451_b1b5_f32e" target="_blank">www.security2cents.com</a>. This site will be easier to reach, easier to navigate, and easier to update on a regular basis. </div><div><br></div><div>Navigate over and check it out when you get a chance!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-48017876158936914092016-11-20T18:56:00.001-08:002016-11-20T18:56:00.551-08:00The Future of Cybersecurity<div style="text-align: justify;">Jim Routh is one of our industry's visionary leaders. I always enjoy listening to him and his vision of the direction of our profession. Recently, I had occasion to discuss Jim his thoughts on the future of cybersecurity; he placed those thoughts in a white paper which you can find <a href="https://newcollege.asu.edu/sites/default/files/routh_the_future_of_cybersecurity_20161111.pdf" id="id_29f4_f1a8_1d17_fcac">here</a>.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Definitely worth your time. Enjoy!!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-21235563372345518632016-11-16T17:26:00.001-08:002016-11-16T17:26:45.244-08:00Cybersecurity and the Board of Directors<div style="text-align: justify;"><div>Over the past three weeks I’ve had occasion to attend three separate events all focusing on cybersecurity and the Board of Directors (BoD). Two events were multi-day events; the third was a webinar. The target audiences for these events varied from current board members to future CISOs</div><div><br></div><div>Several themes emerged from those events that are worth sharing:</div><div><br></div><div>1.<span class="Apple-tab-span" style="white-space:pre"> </span><i>It’s an Understanding Barrier, not a Language Barrier.</i> Over the past decade security professionals have been encouraged to speak “the language of the business. After attending these events I have become more convinced that it’s not the presence of a common language but an erroneous assumption of understanding that is impeding communications. When a security professional says things like “malware,” “darknet,” and “distributed denial of service attack” we believe that there is at least a rudimentary understanding of the term. Not the technical aspects, mind you, but at least the basics of what the term means re: impact to the business. This is not the case. In one of the events that was geared toward board members, the security presenter spent the bulk of the time explaining the difference between a phishing attack and a DDoS attack. The executives present – all of whom sit on boards of directors – were extremely grateful to the very rudimentary explanation. Terms that my most teenagers know today are so foreign to most BoD members that it is almost impossible for them to see the linkages between these threats, the existing risks, and the proposed actions. One BoD member for a well-known restaurant chain put it this way: “I know more about cuts of meat and purchasing produce that I ever thought I would know at 40. My five year old probably understands more about cyber than I do, though.” Security professionals would be well served to find ways to provide rudimentary education to their BoD members and their executives prior to risk decisions being made</div><div><br></div><div>2.<span class="Apple-tab-span" style="white-space:pre"> </span><i>Everyone Has A Story – and It’s Usually Not A Pleasant On</i>e. At all three events, more than one person couldn’t help themselves and went down the rabbit hole of telling their story of the “horrible, clueless BoD member/CISO” that they had to deal with at one time or another. We all know the pieces of this tragic tale: either it’s the CISO who “interfered with business” to the point where executives cheered when s/he left, or it’s the “clueless CXO” who had a risk appetite of zero yet would not fund or support the initiatives necessary to mitigate risks – and worse, took no ownership of existing risks. Both sides were frustrated and entrenched in their positions…to start. It took the guidance and leadership of the instructor cadres at these events to move the groups towards solutioning instead of griping. In our everyday lives, we need to do the same within our organizations.</div><div><br></div><div>3.<span class="Apple-tab-span" style="white-space:pre"> </span><i>The Threat Is Real. It Is Also Existential. </i> Even if we do everything correctly, the looming threat of an exposure or breach will always be there at a not insignificant level. Security professionals who persist on discussing innocuous threats with qualitative risk measurements in order to justify solutions must still grapple with the reality that their efforts will not offer the guarantees that executives would prefer to hear. The key discussion, of course, should be one of risk appetite and risk management; unfortunately, to have that discussion organizations must place some level of valuation on non-tangible assets such as data and reputation. </div><div><br></div><div>4.<span class="Apple-tab-span" style="white-space:pre"> </span><i>Come Together.</i> The most striking thing about these training events was the decided lack of commingling of executives and security professionals. While there were were 1-2 exemplars of “the other side” at each event, none of these training organizations attempted to have both groups in the room together to learn from one another. We cannot learn to communicate with one another effectively if we continue to isolate ourselves from one another as we discuss the same problems.</div><div><br></div><div>On the positive side, I admit being pleased with the majority of the content of these training events – and the fact that this training was occurring at all. The recognition of the need to close the gaps between security and the BoD in order to address the challenge of cybersecurity is long overdue. Seeing organizations and individuals make a concerted effort at creating effective bridges gives me hope for the the future of our cyber awareness & cyber capability.</div><div><br></div><div>My two cents…</div><div><br></div></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-75884121656920725712016-10-27T12:30:00.001-07:002016-10-27T12:30:29.137-07:00Recruiting and Retaining Cybersecurity Talent<div style="text-align: justify;"><div>Last week I had the privilege os partaking in ISSA’s webinar regarding the current cybersecurity talent shortage. I was part of a panel which included a recruiting agency as well as two former CISO discussing how we better identify, attract, and keep talent. Lots of different (and insightful) perspectives were put on the table; if you’re a hiring manager within the security space, this is definitely worth your time. Click on this <a href="http://www.issa.org/page/October2016" id="id_5558_adf8_83ee_59f7">link</a> to access a recording of the webinar…and let me know your thoughts!</div><div><br></div></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-38882456817418398162016-10-27T12:27:00.001-07:002016-10-27T12:43:52.323-07:00Thoughts on IoT Vulnerabilities<div style="text-align: justify;"><div><i>(Warning: this post is a bit of a rant. Proceed at your own risk :) )</i></div><div><br></div><div>The more things change, the more they stay the same. This is the lesson we need to take from <a href="http://www.zdnet.com/article/the-dyn-report-what-we-know-so-far-about-the-worlds-biggest-ddos-attack/" id="id_243d_183a_d1ba_5de2" target="_self">last week’s DDOS attack</a> via (amongst other things) internet-of-things (IoT) devices.</div><div><br></div><div>Several years ago I gave a presentation on what I called the “Business Ideation Cycle” as pertains to security. It goes something like this:</div><div><br></div><div><ol><li>The business has a “great idea” that’s highly innovative</li><li>Business leaders discuss the benefits, costs, and risk…usually without security personnel present.</li><li>The business leaders get approval to pursue their idea and select a vendor…again, usually without input from security</li><li>Sometime between proof-of-concept and going into production – and usually due to the fact that approvals of some sort are needed in order to go live – security is notified of the plan and asked to approve</li><li>Security personnel start to (gasp!) ask questions about the security ramifications. They introduce risk concepts not solely related to profit and loss that are relevant to the implementation. </li><li>Business leaders complain to executives that security is “slowing things down” and “disrupting” business</li><li>In the end, one of two things happens: (a) the business implements a “shadow IT” infrastructure to achieve their objectives; or (b) the implementation is modified to account for security</li><li>Regardless of the decision in (7), the desired results which drove the innovative idea aren’t fully recognized or realized. In the case of Shadow IT, this gap is usually because the rogue implementation cannot be fully supported and/or cannot be scaled appropriately. In the case of a modified implementation, the modifications usually end up limiting some of the originally planned functionality</li><li>In the end, the business needs to take a different path to achieve its revenue objectives…resulting in further ideation and a brand new “great idea.”</li></ol></div><div><br></div><div>…and the cycle continues. </div><div><br></div><div>This cycle has existed for decades, if not longer. Many Warriors of the Light remember similar conversations around offshoring; outsourcing; laptops; WiFi; Bluetooth; and cloud-based services providers. As security professionals we tell businesses that we want to support their ideas, but we need to be brought into the processes earlier in order not to be a disruption. We tell our leaders that we are happy to assist in the deployment of this technology/solution/idea, but that our risk acceptance levels will (and must) change as we cannot guarantee the same risk levels as exist within the current operating model; and we diligently and rapidly clean up the messes that occur when we are not listened to.</div><div><br></div><div>While convenience and speed-to-market will always trump security in the minds of most businesses – and individuals – bolting on security as an afterthought is always more dangerous and more costly. If the <a href="https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/" id="id_cf23_2ab_173a_a62a">stories</a> are to be believed regarding a default password hard-coded into the firmware of the vulnerable devices, this is something that any application security engineer would have raised as a red flag if the company had performed an AppSec review. Instead, the company is now facing a recall of thousands of its devices as well as reputational damage – to itself and to the IoT industry as a whole. We need to move closer to a model where “security by design” becomes a value-added differentiator versus just an inconvenience or a necessary evil. </div><div><br></div><div>Security is not convenient…but it doesn’t have to be inconvenient if we factor in security considerations during the earlier phases of design – and throughout the entirety of the the development/ideation life cycle.</div><div><br></div><div>My two cents…</div><div><br></div><div> </div><div><br></div></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-17395268399159098032016-10-20T14:37:00.001-07:002016-10-20T14:47:07.088-07:00Cyberwar Revisited<p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Over the past couple of weeks, I've had occasion to reflect upon the concept of “cyber warfare.” On one occasion I found myself disagreeing with a member of the local cyber community when he said, “make no mistake we are at war." On another (more interesting) occasion I was speaking with a couple of law students who were discussing the possibility of redefining what “war” means in order to “deal with the new realm of cyberspace.”<o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">The term war brings with it a certain amount of gravitas but with it also comes a plethora of baggage. The only thing more dangerous, though, than misrepresenting something as “war” is to invent new terms for things that are already well defined – similar to our reinvention of “torture” as “enhanced interrogation techniques.” (My father was water boarded as a POW in Korea; in his words, “torture” is the only accurate term to describe this practice). </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Rather than redefining “warfare,” mayhap it is time to use the existing lexicon to see where illegal acts in cyberspace accurately belong. </span><span style="background-color: rgba(255, 255, 255, 0);">From a legal perspective, most activities have five basic components:</span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; text-indent: 0px; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">·<span style="line-height: normal;"> </span>A subject or actor…<o:p></o:p></span></p><p style="text-align: justify; text-indent: 0px; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">·<span style="line-height: normal;"> </span>Takes an action…<o:p></o:p></span></p><p style="text-align: justify; text-indent: 0px; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">·<span style="line-height: normal;"> </span>Against a recipient or object…<o:p></o:p></span></p><p style="text-align: justify; text-indent: 0px; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">·<span style="line-height: normal;"> </span>With some intention…<o:p></o:p></span></p><p style="text-align: justify; text-indent: 0px; margin-right: 0in; margin-left: 0.5in; margin-bottom: 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">·<span style="line-height: normal;"> </span>Achieving some result.<o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">It is the combination of all five of these elements that helps differentiate actions within any legal framework. Intending to run down someone and kill them with your car, for example, is premediated murder (assuming you succeed) but might only be involuntary manslaughter if no intent was there. <o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">When applied to nation-states, this legal calculus gets particularly interesting. We must assume that all nation-states will act with the intention of furthering their own existence and/or prominence…which, by definition means the weakening of some of the other nation-states around them. If this is indeed the case, then the question that arises is whether the actions – ANY actions – by one nation-state against another should be considered an act of war. Should the signing of a diplomatic treaty between two nations which limits a 3<sup>rd</sup> nation’s access to a desired resource/capability constitute an act of war against that 3rd nation? Let’s hope not, as this would call into question every nuclear proliferation treaty currently in existence. If a nation state uses its resources to infiltrate and sabotage part of a nation’s infrastructure-building efforts in order to maintain or achieve a certain advantage (either geopolitically or during a future kinetic war), is that act itself an act of war? Again, if it is then our participation in the Stuxnet attack against Iran in 2010 is tantamount to a declaration of war versus an act of espionage.<o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">My point is this: while the attack surface is vast and the weapons are different – and can be frightful – leaping to terms such as “warfare” and/or redefining acts of espionage as “war” are inappropriate solutions to addressing acts of malfeasance in cyberspance. Make no mistake: I <i>do </i> believe that certain nation-state actors are indeed trying to limit if not destroy US influences and interests in the world…just as I believe that we have similar objectives when it comes to some of our more powerful (and more contentious) world neighbors. Weighting this actions, though, with the baggage of “war” carries with it the spectre of unintended consequences…<o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">…similar to those we might experience during the next kinetic war when a US soldier is tortured and our enemy responds that they were only using “enhanced interrogation techniques.”<o:p></o:p></span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </span></p><p style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">My two cents…<o:p></o:p></span></p><p class="MsoNormal" style="margin: 0in 0in 0.0001pt;"><o:p style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> </o:p></p>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-86624198009577808612016-10-16T13:56:00.001-07:002016-10-16T13:56:37.983-07:00Ending the Hiatus<div><br></div><div style="text-align: justify;">You never know the impact of what you're doing until you stop doing it.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Today is the 290th day of the calendar year. I haven't posted a single entry to this blog during 2016. Not because I had nothing to say...but, rather, because I found myself in transition once again. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">I thought my absence from the blogosphere would go unnoticed; it has not. Over the past several months folks have approached me (via email and in person) re: my absence. Many of my friends were concerned that there was something wrong with my family or my health. Indeed, nothing could be further from the truth. <a href="https://www.amazon.com/Leslie-Jones/e/B00SXHWC3A/ref=sr_tc_2_0?qid=1476651217&sr=1-2-ent" id="id_a9a7_1add_97ec_f69d">My wife</a>'s third novel has been out for some time, and she is currently under contract to write three more. My son is graduating college in less than 90 days...</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">...and as for me, I've gotten to start third career about a dozen years sooner than I had hoped :)</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Click on <a href="https://newcollege.asu.edu/cybersecurity" id="id_e5a8_b165_6d96_77f3" target="_blank">this link</a> to get a sense of what I'm doing/building today. Meanwhile, expect to hear from me via this blog on a much more consistent basis.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Thanks to all for the good wishes, the support, and for the expressions of concern; they are appreciated more than you know. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Namaste...</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-47431002403501205822015-12-17T09:56:00.001-08:002015-12-17T09:56:50.835-08:00My Christmas Wish List<div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Dear Santa:</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Yes, it's me again. I know, I know...it's been many years since I've written to you, and I'm probably older than the typical demographic you're used to hearing from. Still, I felt it was past time that I reached out to you again. As a security professional my job requires a goodly amount of optimism as positivity -- these are essentials when you stand in the gap and fend off the bad nasties in the world -- so I remain hopeful that you might see fit to grant me a Christmas wish or two.</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">My list and short, and I know you're busy...so here goes:</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><ul><li><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">For the team of consummate security professionals that I work with now and have worked with over the years, I wish for them at least one week's worth of uninterrupted sleep. These are some of the finest sheepdogs (a la<a href="http://www.killology.com/sheep_dog.htm" id="id_c124_65aa_ad4b_7eca"> the Dave Grossman definition</a></span>) that I've had the privilege of serving with; they deserve some worry-free rest from the fight, if only for a moment.</li><li><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">For the spouses of every security professional that I know (including mine), I wish for them a refilling/replenishing of that seemingly endless font of patience and understanding that they continuously display. It is said that the wives of Spartans are the secret pillars which hold up the world; the significant others of security professionals prove this day-in and day-out as meals are interrupted, special dates are missed, and date nights are cancelled in our quest to keep the dragons at bay in the organizations that we are charged with protecting. May they never lose their love of -- or patience with -- us as we continue to stand in the gap.</span></li><li><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">For my son and those of his generation, I wish for a vigorous, pointed, and decidedly uncomfortable discussion on the true concept and meaning of privacy in 2016. While accepting that the definition (and expectation) of that term is evolving, the impacts of big data, data analytics, and the internet of things on the "Minority Report Generation" are only beginning to be felt and understood. If nothing else, I believe an acceleration and increase in the discourse is long overdue. </span></li></ul></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">I think that's it, Santa. If you could fi-</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">...wait, what's that? What about ME? Oh, sorry about that. Truth is, though, I don't have a special wish I'd ask for you to fulfill for me. Other than the same thing I wish for every single day...</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">..."just enough strength to stand in the gap tomorrow."</span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Blessing to all this holiday season. Namaste...</span></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-18476602518822947682015-09-27T14:11:00.001-07:002015-09-27T14:11:11.660-07:00Speaking the "Language of Security"
<!--StartFragment-->
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">Recently, I've come
across a spate of articles discussing the need for security professionals to
"speak the language of the business."
This phrase has been used often to describe the underlying reason that
CSOs and CISOs are not considered strategic partners to the business leadership
(<a href="http://www.csoonline.com/article/2983139/security-leadership/can-training-transform-cisos-into-business-leaders.html" id="id_cda2_37bf_d323_1615">Taylor Armerding's recent article in CSO</a> summarizes the situation rather
nicely.). Sure, we can all do better at
dumping the professional technical
jargon (and this has gotten much better over the past decade); but even as we
summarize risk tradeoffs in plain English, we Warriors of the Light are still
met with this biting (and trite) criticism regarding our inability to
communicate with out most important
constituent. When I've asked senior
business professionals what "the language of the business" means to
them, I've gotten inconsistent, nebulous answers. The best answer I received regarding this
topic came from a former CEO who came up through the finance ranks. "The
answer is dollars," he said to me. "Until you can tell me with
absolute certainty what not patching that system will cost me in dollars, or
what the absolute risk in dollars will be of not giving you a new tool or
another body, I will always question the truth of your calculus." This
calculus makes us slightly different from our IT brethren, who can link their
costs more directly to revenue via availability and/or new business.</p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">A hard truth, to be
sure. Our profession will continue to struggle against this perspective. This
truth will become harder still as the scrutiny of senior leaders and even the
Board of Directors increases around security issues due to external regulatory
and consumer pressures. Yes, we security professionals still own the bulk of
the communication challenge…</p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">…but we do not own
it alone. </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">While I applaud,
support, and participate in the efforts of the security community to bridge the communications gap -- and let's
be clear, it <span style="font-style:italic">is</span> our gap to bridge
-- it's time to address the other side
of this equation: the business itself. Communication, by definition, is
two-way. While it's incumbent upon me to learn the language of the environment
in which I operate, it is equally important for our business brethren to
understand and appreciate some of the equally hard truths that exist within
security's operating space.</p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">Here are some hard truths that security professionals would
like business leaders to understand:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="1" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">I Don't Want to Be Your Top Priority.</span><span style="font-size: 11pt;"> I recently heard a former
storied CEO and current board member of several prominent tech companies
say, "I want to know enough about security to know that we are okay,
so I can go on to the next
marketing problem." Frankly, I feel this attitude and approach is
healthy. He hired a CSO to take security off his mind. If that CSO does
his job correctly, the CEO's concerns will fade considerably. There are,
however, some upfront costs to that approach. The CEO and CSO need to work
together to decide how to depict data in a manner which resonates with his
concerns. My tools and processes can measure dozens of data sets, but what
are truly the best way to show the amount of work it's going to take to
defend the network? Or the daily
normalcy of attacks that occur (and our success rates against them)? As
your security professional, I will work
hard to determine the correct metrics to depict an appropriate
understanding of the landscape, as well as a holistic picture of our
security posture…but this will take some trial-and-error and some
back-and-forth between us. Be willing to make the time for that
collaborative discussion, as I am truly terrible at mind reading Just ask my wife.</span></li>
</ol>
<p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="2" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">While I Don't Need You To Agree With Me, I Do Need You to Listen
To What I Have To Say</span><span style="font-size: 11pt;">. Contrary to
anecdotal opinion, I'm not an alarmist. The sky is not falling, nor are
the evil hacker hordes storming the gates </span><span style="font-style: italic; font-size: 11pt;">RIGHT NOW</span><span style="font-size: 11pt;">. If I express a concern
about a business practice or operational decision, don't dismiss me as a
paranoid zealot who sees disaster around every corner. Just like business
leaders, security professionals hone their craft over the course of many
years. Our understanding of risk issues is as valid as a business leader's
understanding of market
opportunities. Give us the courtesy of your focus when we express a
concern, even when we can't necessarily present data analytics. Be aware
that sometimes empirical data only becomes clear in the aftermath of an
event, versus being a predictive indicator. </span></li>
</ol>
<p style="margin:0in;margin-left:.375in;font-family:Calibri;font-size:11.0pt"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="3" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">Compliance is Not the Same Thing as Security</span><span style="font-size: 11pt;">. Too often businesses hire
security professionals either (a) in the wake of a breach; (b) to stay ahead of regulatory
demands; or (c) to appear 'focused'
on security challenges due to external pressures. Nothing wrong with these
incentives in the slightest, but the mindset of the business in these
situations tends to be focused on staying ahead of regulatory/compliance
issues versus addressing security needs. Actions which address truly
securing the environment but which aren't explicitly stated as a
regulatory requirement are seen as excessive or needless. We still run up
against this quite a bit in companies seeking to meet PCI-DSS
requirements; many business clearly see the need for a control applied
against their credit card data, yet struggle to see the need for similar
controls against the petabytes of non-anonymized personal data within
their environments. Businesses
should be honest with themselves and transparent with their
security professionals: if what you're looking for is just compliance,
tell us. It'll keep us from banging our heads against the wall as we
attempt to bring secure solutions to your enterprise.</span></li>
</ol>
<p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="4" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">Stop Asking Us "Are We
Secure?"</span><span style="font-size: 11pt;">
The security professional defines "security" as freedom from
risk. No matter how good s/he may be, as long as its doors are open for
business a company will never achieve a zero-risk state; stop expecting me
to tell you that you will. This also applies to operational objectives
such as "never being breached" or "zero operational impacts
due to security events;" even
if you gave me every dollar I requested in my budget, I could never guarantee
you such absolute success. Now, asking me if our controls are up and
running or how our controls/performance compares to others in our business
vertical is fair and reasonable (though the latter may be hard to
determine due to a lack of information sharing about security issues).</span></li>
</ol>
<p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="5" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">Let's Make Tradeoffs Together</span><span style="font-size: 11pt;">. The security professional's job is rooted in the
principles of risk management. This means making hard choices regarding
risk versus return. While we're comfortable with this, some circumstances do and will require
additional resources in order to keep the risk at its current level. The
business, not the security professional, makes the ultimate decision
either to (a) reallocate resources, or (b) accept the risk. This is an
important point to emphasize, because security professionals are facing
multiple challenges in this area. </span></li>
</ol>
<p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;"> </p>
<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;">At
the end of the day, the function of a business is to make money. Business
leaders can be reluctant to acknowledge an increase in security risk, since
risk mitigation may be costly and blame can be the market's first reaction in
the event of an incident. Security professionals do understand the risk
tradeoffs, and accept them as part of growing a profitable business. We need
open, honest dialogue with you regarding risk tradeoffs. </p></blockquote>
<p style="text-align: justify; margin: 0in 0in 0in 0.375in; font-family: Calibri; font-size: 11pt;"> </p>
<ol type="1" style="margin-left: 0.375in; direction: ltr; unicode-bidi: embed; margin-top: 0in; margin-bottom: 0in; font-family: Calibri; font-size: 11pt;">
<li value="6" style="text-align: justify; margin-top: 0px; margin-bottom: 0px; vertical-align: middle;"><span style="font-weight: bold; font-style: italic; font-size: 11pt;">I Will Support & Defend the Business, Regardless of the
Decision You Make</span><span style="font-size: 11pt;">.
Once I've been heard and we've discussed tradeoffs, I will support your
decision and execute it to the best of my ability. Your decision to accept
additional risk does not give me a free pass to let bad things happen in
the environment. A security professional will always fight to keep the
evil hacker hordes from storming the gates, regardless of the risk
decisions made. Period.</span></li>
</ol>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">While the bulk of
the communication burden rests with the security professional, I believe
business leaders also have a responsibility to come to the table ready for an
honest, open dialogue. Not wishing to burden the company with costs not
associated with direct revenue benefit is not a sufficient reason to avoid the
expertise and knowledge your CSO brings to any discussion. Give him a listen -
he might just surprise you.</p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;"> </p>
<p style="text-align: justify; margin: 0in; font-family: Calibri; font-size: 11pt;">My two cents…</p>
<!--EndFragment-->Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-32755217178860211382015-08-17T07:37:00.001-07:002015-08-17T07:37:39.907-07:00One CEO's View on a Point-of-Sale Breach<div style="text-align: justify;">In 2012, Penn Station Subs became a victimof one of the earliest reported point of sale (POS) compromises. Their CEO and leadership team took what were then considered to be drastic measures to remediate the situation and prevent reoccurrence of the situation. Three years later, the Penn Station CEO (Craig Dunaway) has sat down to discuss his actions and his approach to the situation. While fellow Warriors of the Light may find very few surprises in this interview, it is useful to hear the perspective ad thought processes of a chief executive around what could have been a potentially devastating situation for the franchise. You can find a link to the interview <a href="http://www.databreachtoday.com/interviews/breached-retailer-i-wish-i-had-known-how-sophisticated-i-2833" id="id_8b21_e9d9_f8c0_6b64">here</a> -- and you might want to consider sharing this link with the executives in your own organization.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Enjoy!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-32549837975674577632015-06-23T10:07:00.001-07:002015-06-23T10:07:10.624-07:00Fitbit Data Helps Disprove Rape ClaimI know, I know...not the typical headline you expect to see on a security topics blog. Bear with me for a bit, though...<div><br></div><div style="text-align: justify;">Last March a woman name Jeannine Risley called 9-1-1 alledging that a man in his 30s had broken into the place she was staying, woke her, and raped her. Police found overtuned furniture, a vodka bottle, and a knife on the scene when they responded. Still, something didn't seem right about the story (example: there was fresh snow on the ground and there were now footprints in the snow leading to the house) so they kept investigating. As part of the investigation, police requested that Mrs. Risley provide them the Fitbit device that she was wearing so that they could analyze the data. Sure enough, the Fitbit data proved that Mrs. Risley was awake and walking around during the period where she claimed to be asleep. This, combined with other evidence, provided sufficient cause to charge Mrs. Risley with several misdemeanor offenses.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">As one might imagine, it is use of Fitbit data that has propelled this matter to the national stage. As those in our profession have stated far too often, once individuals place data "out there" it is nigh impossible to restrict its use. Mrs. Risley willingly wore a device designed to track and record her activity; it should not be surprising to anyone that that same data could be used to prove or disprove the commission of an unlawful act. While it's doubtful that this one case will spark a substantive ripple in the push for <a href="https://en.m.wikipedia.org/wiki/Wearables" id="id_d3b4_4732_b392_2851">wearable technologies</a> or an expansion of the <a href="https://en.m.wikipedia.org/wiki/Internet_of_Things" id="id_cbde_9694_59a5_336b">Internet of Things,</a> we might finally begin to see some chatter outsite of our own professional circles about the privacy and legal implications of an uber-networked society -- to include protecting the data collected from from unauthorized alteration.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">My two cents. Click <a href="http://lancasteronline.com/news/local/woman-staged-rape-scene-with-knife-vodka-called--/article_9295bdbe-167c-11e5-b6eb-07d1288cc937.html" id="id_5f73_c6d5_efcb_df31">here</a> for a quick link to the original story.</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-59913556342914233432015-06-08T16:17:00.001-07:002015-06-09T13:46:43.150-07:00Security IPB<div style="text-align: justify;">For the past 6 weeks I have been listening to the rumbles and fallout of the RSA conference…</div><div style="text-align: justify;"> </div><div style="text-align: justify;">…no, that’s not quite correct. It’s not been the fallout from the conference itself, but of the gauntlet thrown by RSA’s new president, Amit Yoran.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">In his keynote address, Amit called out the security industry for its “dark ages” approach to the problem of security, laying out 5 tenets for navigating the terrain of today's new security battlefield. While I was not in attendance at RSA this year (San Francisco for a conference or the Caribbean for my wife's birthday? Hmm…) , I read both the RSA press release and a transcript of the address in the days after the event.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">I am wholeheartedly supportive of Amit’s overall message regarding the need for both the security industry and the security profession to adjust their thinking regarding the problem and the fight. Should we fail to make such an adjustment, we will continue to be viewed as an obstacle to success, an impediment to revenue…and, should we continue to fail in our perceived mission, we risk being viewed as an ineffective drag on profitability. That being said, as the profession reaches to pick up the gauntlet that Mr. Yoran has thrown, it is important to understand the full context of the battlefield on which we fight. Amit pulls upon his experience as a West Point graduate and former military officer. As another graduate and former military officer, allow me to continue the analogy by doing some old-fashioned “intelligence preparation of the battlefield (IPB)” and take a deeper look at some of the battlefield conditions we face daily.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">1.<span class="Apple-tab-span" style="white-space:pre"> </span><i>We need to preach to masses, not to the choir</i>. “Let’s stop believing that even advanced protections work. No matter how high or smart the walls, focused adversaries will find a way over, under, around, and through.” My first thought when I read this statement was, “Preach it, brotha!” Every board member and every executive I meet when I take a new job wants to know that they are “safe.” I spend much of my time during the first 30 days of any new gig reminding executives that as long as they are open for business they will never be completely invulnerable. My next thought around this point, though, was to hope that members of the security industry (those professionals who create and market the wonderful tools, technologies, and services we all use) and not just the security profession (in house personnel currently working to protect an organization’s resources) heard what Amit was saying. While it remains true that any professional who thinks they can make an enterprise invulnerable needs a wake-up call, it is equally true that members of the security industry also need to stop making promises of nirvana and panacea -- and not just to us, but to those around us who can influence purchasing. How many of us continue to have to address the CFO, CIO, or CEO who “just talked to XYZ Vendor and they said we can’t be compliant/secure/grow hair/stop global warming without their product?” Indeed, as C-level security professionals are increasingly weaving a story of managed risk and potential vulnerability, the security industry has begun to find points of entry into the enterprise that do not involve us. Amit alludes to such promises being made during his address, but this point should not be glossed over as it is a contributor to some of the challenges we face daily whilst attempting to secure the enterprise.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">2.<span class="Apple-tab-span" style="white-space:pre"> </span><i>There is a cost associated with visibility – and that cost exists outside of the security budget</i>. Amit advocates “a deep and pervasive level of true visibility everywhere -- from the endpoint to the network to the cloud.” He goes on to describe true visibility as including things such as full packet capture; endpoint compromise assessment visibility; and a detailed understanding of which systems are communicating with which, and what’s being communicated. Many security professionals are faced with the every-present quandary of obtaining complete, detailed, and accurate data flow diagrams within older, multi-faceted enterprises. In many cases (except in heavily regulated spaces), these diagrams do not exist until security personnel ask for them -- and when provided, their accuracy levels tend to be suspect. Further, assuming the data flows exist, the level of potential increase in bandwidth and horsepower on the network and the systems themselves in order to provide “true visibility” may be punitive and/or force systems upgrades and unexpected costs within the IT organization. (Think I’m kidding? How many of you reading this article have been told that “turning auditing on for <insert system here> will kill the server/bog down the application/consume too much bandwidth?”)</div><div style="text-align: justify;"> </div><div style="text-align: justify;">3.<span class="Apple-tab-span" style="white-space:pre"> </span><i>You can’t ignore the rest of the I-AAA equation.</i> Amit rightfully discusses the importance of Identity and Access “[i]n a world with no perimeter and fewer security anchor points.” Let us remember, though, that there are two other A’s to the I-AAA equation and at least one of them is of equally (if not more) critical importance in the current terrain: Authorization. Pop quiz, everyone: raise your hand if you can, with 100% certainty, guarantee that you know exactly the privileges and roles for absolutely every system and person in your organization AND that they are 100% complete, accurate, and appropriate. I'm not talking about the quarterly signoffs that organizations do in lieu of the in-depth visibility that Amit is referring to, but rather a detailed role mining and mapping of every system and every application in the enterprise to a meticulous level of detail that ensures entitlements are tight and accurate. </div><div style="text-align: justify;"> </div><div style="text-align: justify;">Most mature enterprises struggle with I-AAA over time. Unless the organization has either (a) taken the opportunity to maintain entitlement and role accuracy throughout its life cycle, or (b) invested the time (and not insignificant dollars) to do the detailed analysis and mapping, the result is a level of blindness to entitlements which is a (if not <i>the</i>) major contributor to security professionals maintaining a border-centric outlook. If I don’t know who you are and/or whether where you are allowed to go is appropriate, then the easiest solution is to build a wall and limit the entries/egresses to the castle. Cleaning up the authorization problem requires a level of (expensive) buy-in from IT and the organization as a whole. Many organizations do not see the criticality of such an expense yet still wish for the flexibility of a borderless environment…placing the security professional in the awkward position of appearing to be a Luddite and an inhibitor to the business or weakening (if not eliminating) the ROI associated with borderless cloud-based operations.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">4.<span class="Apple-tab-span" style="white-space:pre"> </span><i>Asset categorization, to be useful, requires a depth of understanding of the enterprise and data flow</i>s. In most organizations, at least part of the assets considered to be critical and/or high value would be data. Strongpointing your defenses around critical assets which house the data is a good start…but it also means controlling who has access to that data and the systems which communicate to/from that critical asset. In other words, in order to effectively accomplish Point 5 of Amit’s 5-point plan, Points 2 (deep visibility) & 3 (strong identity & access) need to be accomplished first. Again, these objectives will require buy in and expense outside of security’s bailiwick in order to succeed.</div><div style="text-align: justify;"> </div><div style="text-align: justify;">Amit Yoran’s call to arms is one that is timely, accurate, and well needed…as far as it goes. Yes, security professionals need to look at the problem differently and more holistically, but I would also contend that many (most?) C-level security professionals. already do this and are actively educating our teams and constituents appropriately. The challenge, however, in operating in a manner reflective of a proper mindset is to change the conditions of the battlefield upon which we engage. The security profession continues to refine our language and our metrics to discuss the causal relationships between incomplete data flow analysis, I-AAA concerns, and the increased risks of tearing down borders -- with mixed success. The border is effectively dead, yes…but security professionals cannot maintain comparable levels of risk to the enterprise if we tear down the borders without addressing the areas in Amit’s five-point treatise. This requires those we serve to (a) prioritize the efforts necessary to allow the depth of insight into the enterprise necessary to manage risk in a borderless world, and (b) accept the fact that regardless of this level of detail we will be compromised to some extent. </div><div style="text-align: justify;"> </div><div style="text-align: justify;">(Let’s not forget, either, that the security industry will need to continue evolving its toolset and its message, to include delivering this same message to the Boards of Directors and chief technologists whom we serve and eschewing discussions about security which do not include members of the security team.)</div><div style="text-align: justify;"> </div><div style="text-align: justify;">Understand that I offer this analysis not as an excuse for inaction but rather as a completion of the treatise offered by Mr. Yoran. Throwing away the old maps, as Amit suggests, is important…but equally important is acknowledging the limitations of the terrain upon which we Warriors of the Light do battle every single day (even as we struggle to modify the terrain to suit our needs).</div><div style="text-align: justify;"> </div><div style="text-align: justify;">Amit has thrown down a gauntlet to the security industry and the security profession alike; however, I believe what he will find is that many of us picked up this gauntlet many moons ago and are already fighting the good fight.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Welcome to the line, Brother Amit. Your shield, your sword arm, and your voice are more than appreciated.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">My two cents…</div><div><br></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-33314879509386439022015-04-27T12:28:00.001-07:002015-04-27T13:10:25.445-07:00Thoughts on The Irari Rules<div class="WordSection1" style="page: WordSection1;"><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now. Both are quality and insightful security professionals who raise the bar within our industry. As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Winkler and Gomes’ latest contribution to the fight are “</span><a href="http://www.computerworld.com/article/2913378/cybercrime-hacking/the-irari-rules-for-declaring-a-cyberattack-sophisticated.html" id="id_41fc_6bba_7574_5583">The Irari Rules</a><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">” (named after a combining of their first names). The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated; it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors. That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Think about what the Irari rules are advocating for a second:<o:p></o:p></span></p><ul type="disc" style="margin-bottom: 0in; margin-top: 0in;"><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Use anti-virus or anti-malware software<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Patch your systems<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Use multi-factor authentication<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Change passwords frequently<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Create detailed, realistic, holistic education programs<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Turn on and monitor your alert mechanisms<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Segment your networks<o:p></o:p></span></li><li class="MsoNormalCxSpMiddle" style="text-align: justify; margin-bottom: 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Aggressively manage user accounts and their privileges<o:p></o:p></span></li></ul><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results. Yet clearly something <i>has</i> changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness. So if it’s not the sophistication of the technical attack…what’s going on?<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Winkler and Gomes posit that the “new normal” for organizations should be to “<span lang="EN">expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.” This would seem to support an argument for the efficacy of a more sophisticated <i>attacker</i> as opposed to a more sophisticated <i>attack</i> – which results in higher levels of risk overall to an organization. Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor. Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place. While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.<o:p></o:p></span></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><span lang="EN">There’s another factor in the risk equation that Winkler and Gomes have failed to consider: asset value. </span>While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically. As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level. <o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point. Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues. Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero. As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data. In this environment, yesterday’s locks and windows (read: yesterday’s security program implementation) won’t keep the bad guys away.<o:p></o:p></span></p><p class="MsoNormal" style="text-align: justify; margin: 0in 0in 10pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">My two cents…</span></p></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com2tag:blogger.com,1999:blog-997315269912926632.post-86702220084190253072015-03-22T10:48:00.001-07:002015-03-22T10:48:00.927-07:00Security Awareness: Changing User Behavior Reduces Overall Risk<div style="text-align: justify;">Last week I was asked to participate in a webinar regarding security awareness and its efficacy within the workplace. I and my fellow panelists -- Sam Masiello of Teletech; Michael Angelo of NetIQ, and Joe Ferrara of Wombat Security -- had a lively and wide ranging discussion of the benefits, pitfalls, and challenges of security awareness. If you're inerested, the webinar is available for playback<a href="https://goto.webcasts.com/starthere.jsp?ei=1049790" id="id_a147_4edb_29b4_e74a"> at this link.</a> Note, you'll be required to register at the site before viewing/listening. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Enjoy!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-66315731039420623622014-10-04T07:13:00.001-07:002014-10-04T07:13:45.059-07:00"What Keeps You Up at Night?"<div style="text-align: justify;">Recently I was asked by <i>SecureWorld</i> to write an article responsind to the question, "What keeps you up at night?" Like most security professionals, I get asked that question quite a bit in various contexts. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">My answer to this question tends to be somewhat unorthodox, but it brings a perspective to the problem that I believe we Warriors of the Light should contemplate and consider. My full response can be found here <a href="http://www.secureworldexpo.com/secureworld-speaks-kim-l-jones" id="id_b17f_a6e4_53d9_c0b3">on the <i>SecureWorld</i> site</a>. Give it a read and let me know what you think!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-56884799250957853892014-09-11T07:45:00.001-07:002014-09-11T07:45:48.422-07:00It Is Still All About The Business<div style="text-align: justify;">Two weeks ago,m Baseline Magazine published the results of a survey regarding <a href="http://www.baselinemag.com/careers/slideshows/are-c-level-execs-disparaging-cisos.html/" id="id_9c41_d6f6_d6bd_b67a">executives' views toward the CISO position</a>. The results were less than encouraging:</div><div style="text-align: justify;"><ul><li>74% of the C-Level executives surveyed believe that CISOs should not be a part of organizational leadership teams</li><li>44% view the <i>primary</i> role of the CISO as "being accountable for any organizational data breaches."</li></ul><div>These results are not surprising to most practitioners. In many companies, the title ‘CSO’ stands for “chief scapegoat officer” even to this day. CSOs and CISOs live in fear of the inevitable breach, because such an event will lead to accusations and recriminations versus investigation and remediation. Ironically, this attitude by the organization's executives actually reduces the efficacy of the security team. In addition to creating an undertone of survival and us-against-the-world within the CISO organization, the senior security executive now feels compelled to spend a goodly portion of their time covering themselves (i.e., "creating the paper trail") and focusing on tactical issues versus strategically driving the security program.</div><div><br></div><div>While many of my brethren will focus on the aforementioned results, this survey reveals a more telling statistic: 68% of the executives surveyed feel CISOs lack broad awareness of organizational objectives and business needs. Despite our best efforts, and despite certifications that preach otherwise, we are clearly failing to adequately link ourselves to the businesses we support. While there are no silver bullet answers out there, here are a couple of tips and pointers that I've found effective in bridging the "business gap" over the years:</div></div><div style="text-align: justify;"><ul><li><i>Ask The Key Question</i>. When I assume the role of CSO/CISO in any organization, I make it a point to meet every business line leader and their direct reports within the first two weeks of my arrival. The first question that I pose to each of them is always the same: "How do you make money?" Not "what do you do for a living," but how does that business unit generate revenue for the organization? When they answer me, I keep probing and asking questions until I truly have at least a high-level understanding of the services and products offered and how they contribute to the company's bottom line. Once you understand how the business makes money, it becomes exponentially easier to understand where security controls are appropriate -- and, more importantly, the potentially negative impact a specific control can have on the revenue picture. </li></ul></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div style="text-align: justify;"><div><div>Note that I used the terms "money" and "revenue" instead of "profit." Even non-profit and not-for-profit organizations generate revenue to pay the bills. While the mission/purpose of any organization is critical, that mission must generate some level of revenue in order to succeed at its efforts.</div></div></div></blockquote><i><br></i><div style="text-align: justify;"><ul><li><i>Have A Strategy. </i>Sounds simple, right? Yet to this day a significant portion of CSOs do not have a documented strategy. Those who have documented their strategies tend to link their objectives solely toward risk reduction and mitigation versus achieving the business' objectives -- which leaves an impression with executives that security is something that they "have to do" that is diverting expenditures away from revenue-generating efforts.</li></ul></div><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div style="text-align: justify;"><div><div>I'm an old <a href="http://en.m.wikipedia.org/wiki/Common_Criteria" id="id_4405_1620_f639_c4f8">Common Criteria</a> (CC) tester and evaluator. The one thing that I loved about the CC was its structured approach regarding requirements. Functional requirements led to technical functional requirements which in turn logically led to security functional requirements. I take a similar approach when structuring my strategic imperatives. The business wants to do something; that "something" will require a specific operational and technical capabilities. Creating those capabilities at a risk level consistent with current risk levels requires us to enable/enhance/create these specific security capabilities. This linkage helps intrinsically tie your security endeavors to the business. </div><div><br></div><div>Understand that there are times that you will need to drive compliance and/or risk reduction activities purely for the sake of compliance/risk reduction; but never forget that being compliant is a <i>business </i>requirement and that you are reducing risk to a level <i>acceptable to the business</i>. <b>Say those things </b>in your strategy.</div></div></div></blockquote><span style="text-align: justify;"><ul><li><i>Educate Your Teams. </i>You can't be the only one that understands the business; every member of your team needs this level of understanding as well. Not only will it change the optics re: your team as they interface with the business, but it will also enable them to bring more business-appropriate solutions to the table as they problem solve in the security space. </li></ul></span><div style="text-align: justify;"><div><div>It would be easy for us to make a bit of a chicken-and-egg argument here and claim that we security warriors can't start thinking strategically and better integrate security with the business because we fear recriminations when something goes wrong. If this survey is any indication, though, we are collectively limiting -- if not damaging -- the profession by not aggressively focusing on relating our activities to the our organizations' strategic imperatives. If we are living in an era where massive breaches are becoming commonplace and we cannot guarantee that a breach will not occur, then a lack of a strategically-driven security program that is intrinsically linked to business objectives only justifies the opinions listed above.</div><div><br></div><div>My two cents... </div></div><div><br></div></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-84390867181412062382014-08-23T08:50:00.001-07:002014-08-23T17:36:02.568-07:00The Impact of Situational Privacy<div style="text-align: justify;">
<!--StartFragment-->
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Pop quiz today! Which of the following situations is a
violation of privacy:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<ul type="disc" style="margin-left:.375in;direction:ltr;unicode-bidi:embed;
margin-top:0in;margin-bottom:0in">
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">A national retailer utilizes
purchases you make with them to send you advertisements about products you
might enjoy or need</span></li>
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">A reputable search engine
utilizes data about you from previous searches and other products to
better tailor its content to your needs</span></li>
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">A government entity utilizes
data in the public domain to hone in on potential criminals.</span></li>
</ul>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">If you answered
anything but "it depends" on this quiz, you haven't been following
the nuances of the privacy debate lately :)</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Let's get a little
deeper into each of these examples for just a moment:</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<ul type="disc" style="margin-left:.375in;direction:ltr;unicode-bidi:embed;
margin-top:0in;margin-bottom:0in">
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">In 2012, <a href="http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/ " id="id_737f_3894_b9fb_4382">Target came under
media scrutiny</a></span> for using data analytics to predict which of its shoppers
might be pregnant. The retailer
then began sending coupons to those shoppers for things like baby clothes,
strollers, etc. The story made news
when one Minnesota father noticed that his teenage daughter was receiving
these materials. The irate father
marched into a local Target, demanding to see a manager, and accused the
retailer of attempting to encourage his daughter to get pregnant…only to
find out from his daughter that she was, indeed, already pregnant. Target's analytics had identified her
pregnancy before her own father had known. </li>
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">Just last month, <a href="http://www.ideastream.org/news/npr/335404545" id="id_e269_83c0_9ab8_5e51">Amazon.com
celebrated its 20th birthday</a></span>. One
of the features this massive online retailer is known for is utilizing
knowledge of your shopping habits to send you advertisements about
products and services which you might enjoy. As of this year, Amazon is exploring
pushing the envelope around this concept and has taken a patent out on
what it is describing as "<a href="http://business.time.com/2014/01/18/amazon-wants-to-send-you-stuff-before-youve-even-decided-to-buy-it/" id="id_97d_8968_5329_a84a">anticipatory shipping</a>." Utilizing the data it already
has about you, the mega-retailer intends to just start sending you items which
it believes you want <span style="font-style:italic;font-family:
Calibri;font-size:11.0pt">before you purchase them</span><span style="font-family:Calibri;font-size:11.0pt">, arguing that the success
rate of its algorithms is such that the number of returns would not exceed
the benefits reaped by this level of customer service. </span></li>
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><span style="font-family:Calibri;font-size:11.0pt">Several years ago, people
started noticing that their search engines -- in particular, Google --
were <a href="http://themetaq.com/articles/reasons-your-google-search-results-are-different-than-mine" id="id_187e_ecb_75f6_9360">displaying different sets of results for the same question</a></span>. Upon further exploration, people
discovered (realized) that most search engines utilize data from your
location and your browser history to better customize answers for
you. Providing such customization
makes it easier to retrieve more meaningful results for the consumer which
shortens search time…and also makes it easier to tailor advertisements to
the consumer that s/he might be interested in. The downside, of course, is that it may
also be masking important yet contradictory information that is relevant
to the individual's search -- thus reinforcing research bias. (Note:
you can turn off "search customization" (as Google refers
to it), but it's difficult to find out how if you go onto their support
site. The link above also provides information on how to disable search
customization relatively easily.)</li>
<li style="margin-top:0;margin-bottom:0;vertical-align:middle"><font face="Calibri"><span style="font-size: 11pt;">In June 2013 Edward Snowden </span></font><a href="http://www.cbsnews.com/feature/nsa-surveillance-exposed/" id="id_e684_2cf_a6e6_5985" style="font-family: Calibri; font-size: 11pt;">exposed the NSA's domestic cellular collection program</a>. <span style="font-family:Calibri;font-size:11.0pt">The general public was outraged that the
government would utilize cellular metadata (such as location information)
to spy on its citizens; however, these same citizens exhibited no qualms
about carrying a device which regularly broadcasts location nor the <a href="http://www.usatoday.com/story/news/nation/2013/12/08/cellphone-data-spying-nsa-police/3902809/" id="id_1474_9b56_4322_4c5e">use of
that location data by other governmental entities and agencies</a></span>.</li>
</ul>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">The examples above are
illustrative of the complexity around privacy.
Gone are the days when we could simply state that "<x> data is private"; indeed, we are moving more to an environment of "situational
privacy" where the data itself isn't as much an issue as <i>how</i> the data is
used. Consumers freely and openly volunteer exabytes of data
on a daily basis for seemingly innocuous transactions…yet they are regularly
shocked and angered as this data is combined with other seemingly innocuous
(and freely given) pieces of data to
provide predictive intelligence to marketers, <span style="font-size: 11pt;">corporations…and
yes, to government entities.</span></p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">As security
professionals, we are becoming more embroiled in the debate around
privacy. Remembering that privacy itself
is impossible without appropriate
security controls, the situational nature of data mining and appropriate
data usage makes the protection
equation daunting. Do we wrap a cocoon of Pentagon-level
protection around the data lake, even though 99% of the data within it is
considered publicly available? Do we
inject ourselves into the data analytics process and become part of the
arbitration question re: should we use the data in a certain fashion? Can we monitor and limit/restrict data
combination similar to the way in which systems can monitor separation of
duties access control issues? </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">Let's take it a step
further. Remembering that corporate data
analytics seeks to (among other things) improve the sales cycle and make
marketing campaigns more efficient, imagine the implications if the bad guys
choose to take such an approach.
Consider: your systems are
penetrated and data is stolen…but none of the data is regulated by current
privacy law or regulation. Six months
later, the bad guys run data analytics against the acquired data and determine
the best targets for fraud or scam. You
protected the data and your borders reasonably and can show a tiered approach
to your controls…and those controls were appropriate for your environment…you even prevented the breach from reaching the most sensitive data stores…yet
data stolen from you was used to target your customers in the same manner that
your marketing and sales team target prospects.
Imagine the liability issues that will circulate through the courts.</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"><br></p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">As your
organizations recognize the value of the data it holds, it is important that we
as security professionals remind people of the larger risk & privacy
landscapes out there. We cannot rely
solely on the legal/regulatory framework to guide us as the potential brand
risks go beyond what the hodgepodge of privacy regulations currently
address. In most cases, you as the will
be the first person to bring these concerns to light and as such will risk the
possibility of being initially portrayed as
naysayers…but more often the
security warrior ends up prognosticating
future risks and challenges looming on the horizon. As we continue to enable our businesses we
must ensure that the aforementioned questions -- and dozens more -- are
acknowledged and addressed by our business leaders.</p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt"> </p>
<p style="margin:0in;font-family:Calibri;font-size:11.0pt">My two cents…</p>
<!--EndFragment--></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-20496040137197291942014-08-07T12:32:00.001-07:002014-08-07T12:32:29.927-07:00Password Redux<div style="text-align: justify;">Given the spate of security compromises that have occurred this past year, many of my posts have emphasized the need for aggressive password management. Unfortunately, aggessively managing passwords comes with its own set of problems and challenges. Here are a few tips and pointers to help:</div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><ul><li><i>How Can I Tell If My Password Is Strong?</i> As a general rule, passwords are considered strong if they contain a combination of upper- and lower-case letters, numbers, and special characters. Passwords should be at least 8 characters in length, as shorter passwords are exponentially easier to break.</li></ul></div><div style="text-align: justify;"><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div style="text-align: justify;">If you want to get a sense of how strong your password might be, take a gander at <a href="howsecureismypassword.net" id="id_5d6c_d90f_27cc_6c0">howsecureismypassword.net</a> The site doesn't capture your password, but it'll give you a readout of how long it will take a standard modern PC to crack your password. It's not mathematically perfect, but it can easily show you the difference just adding one special character or lengthening your password</div></blockquote><ul><li><i>How Do I Keep Track of All My Passwords? </i>Remembering all those complex passwords is the biggest reason people reuse passwords or choose weaker passwords. There are a handful of different things you can do to help with this problem:</li><ul><li>There are ways to construct complex passwords that make them less random and thus easier to remember. There are several articles which lay out different schema. Here's a <a href="m.wikihow.com/Create-a-Password-You-Can-Remember" id="id_654e_1aed_904e_6070">link</a> to one of the better ones.</li><li>Place your password inside of a spreadsheet or document, then save that dcoument in password protected mode. <i>Then</i> compress/zip that file using software which allows you to encrypt the file and password protect it (e.g.: WinZip)</li><li>There are a variety of password management tools out there which will store and protect your passwords for you on your computers and mobile phones. If you go this route, though, ensure that your tool is reputable -- since bad guys will throw up faux "password management" apps as a method of stealing your passwords. The reputable password management tools all have advantages and disadvantages; <a href="http://www.pcmag.com/article2/0,2817,2407168,00.asp" id="id_45_da18_36fe_ad94">this recent article</a> reviews and compares them all. For free applications I like KeePass...but LastPass Premium ($12/year) is truly the gold standard for password management tools.</li></ul></ul><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div style="text-align: justify;">A reminder: if you use a password management system ensure that the password for this system is as strong as you can make it. That password is, quite literally, the key to your online kingdom.</div><div style="text-align: justify;"><br></div></blockquote>Hope this helps!</div><div style="text-align: justify;"><br></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com1tag:blogger.com,1999:blog-997315269912926632.post-2809116501280962032014-08-06T22:06:00.001-07:002014-08-10T06:29:00.779-07:00Russian Hackers Amass Over 1 Billion Passwords<div style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Many of you may have seen the recent announcement about a Russian hacking group amassing over a billion internet passwords from internet facing applications. If you haven't,</span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;"> </span><a href="http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html?hp&action=click&pgtype=Homepage&version=LedeSum&module=first-column-region&region=top-news&WT.nav=top-news&_r=0" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2" id="id_36a6_d2cb_d8a7_60f8" target="_self" style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">here's a link</a> to the recent New York Times article</div><span style="background-color: rgba(255, 255, 255, 0);"><div style="text-align: justify;"><br></div><span style="-webkit-text-size-adjust: auto;"><div style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0);">This hasn't generated a tsunami of chatter just yet but I am certain that many of you will have/face questions. Based upon what little we know right now, here are some random thoughts and opinions.</span></div><div style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><ul><li><span style="background-color: rgba(255, 255, 255, 0);"><i>When In Doubt, Change Your Passwords. </i>Seems simple enough, but many people still do not do this with regularity. Worse, many people use the same weak password for multiple accounts. Changing your password to a strong, complex password that you haven't used elsewhere will eliminate the threat of compromised passwords. Corporately, enforcement of password policies regarding complexity and periodicity of change will have the same positive impact</span></li><li><span style="background-color: rgba(255, 255, 255, 0);"><i>The Announcement Timing Is Suspect. </i></span><span style="background-color: rgba(255, 255, 255, 0);">Hold Security (the company that announced this finding) may be doing this for publicity. Less than scrupulous security firms have often kickstarted their initiatives with a huge announcement like this as an entry into gaining traction in the market. Add to that the fact that the Blackhat and Defcon Security Conferences are currently underway, and my suspicions become exacerbated. Indeed, <a href="http://www.forbes.com/sites/kashmirhill/2014/08/05/huge-password-breach-shady-antics/" id="id_8af9_2a7a_1fb2_4a60">Forbes announced this morning</a></span> that Hold is now offering a service "for as low as $120" to help you determine whether your password is on the list.</li><li><span style="background-color: rgba(255, 255, 255, 0);"><i>We Don't Know The Important Stuff. Yet. </i>Until we have more data (who/what/when/where/why) about this announcement, there's little anyone can do corporately/organizationally to protect themselves beyond changing passwords. Indeed, this is little more a "the sky is falling" announcement as it is currently crafted. </span><span style="background-color: rgba(255, 255, 255, 0);">What's would be more interesting is an understanding of what servers in what corproate entities were compromised to get this data. If Hold Security chooses to release that information (and early indications are that they will not), then the impacted organizations will come under increased scrutiny and may trigger a need for security professionals to reassess their overall protection profiles.</span></li></ul><span style="background-color: rgba(255, 255, 255, 0);">Bottom line for this one -- for now -- is password management. Only time will tell if we need to take a deeper look at the potetnial ramifications of this revelation.</span></div><div style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0);">My two cents...</span></div></span></span>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com2tag:blogger.com,1999:blog-997315269912926632.post-71615014044273593082014-04-09T17:27:00.001-07:002014-04-09T17:27:10.525-07:00Tips and Tricks on Surviving the Heartbleed Bug<div style="text-align: justify;">As many of you have heard this week, a <a href="http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/major-bug-called-heartbleed-exposes-data-across-the-internet/" id="id_6e4b_3d7e_83f4_ac85">significant vulnerability was recently discovered within OpenSSL</a> a popular open-source protocol used to encrypt vast portions of the web -- to include authentication data such as user names and passwords. The bug has been dubbed the "Heartbleed" bug as it exploits a flaw in the handling of the The TLS heartbeat extension within the protocol. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">This particular bug is actually worthy of the attention that it is getting. That being said, the sky isn't falling and the Internet isn't collapsing :) Here are a few things that you can do to protect yourself while Heartbleed is being remedied:</div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><ol><li><i>Password Management</i>. There is some debate around whether you should consider changing your passwords now or changing your passwords after verifying that the patch has been deployed. My practical answer is to wait. Changing your password on an already-compromised website still results in a compromised password, so waiting to change until sites are patched makes better sense. My one exception to this is in situations where you are using the same password for multiple accounts. Immediately changing your password the password that you use for your 4 email accounts, 3 banking applications, 2 social media sites, and 1 online shopping service to 10 separate passwords is one way of minimizing any potential damage from a compromised account. Of course, managing and securing so many passwords can be painful; I recommend utilizing a secure password management tool to assist. My favorite? <a href="http://keepass.info" id="id_815f_9277_3c6a_31c6">MiniKeePass</a>.</li><li><i>Financial Scrutiny</i>. It's an old saw, but it still rings true: keep an eye on financial transactions and financial statements for potential fraudulent activity. Call your fiancial institution immediately if you see something that doesn't make sense.</li><li><i>When in Doubt, ASK</i>. So how do you know if websites you do business with are vulnerable to this flaw? If you like to get your geek on you can <a href="https://lastpass.com/heartbleed/" id="id_9219_ba15_443e_50ce">test a website yourself</a> (though the results aren't necessarily conclusive); you can also consult the latest list of <a href="https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt" id="id_1985_961b_36c8_9249">Heartbleed test results for popular sites</a> that is circulating the web right now. The easiest way to find out, thought, is to ask the question of those sites which your frequent. Knowledge is power, and getting straight answers from the online entities which you frequent will help you better protect yourself as you move forward.</li></ol><div>Hope this helps. Spread the word!!</div></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-29857954860191909542014-03-16T10:28:00.001-07:002014-03-16T10:47:31.454-07:00Intelligence Redux<div style="text-align: justify;">Anybody who was at the RSA Conference a few weeks ago can attest to the fact that "threat intelligence" has become the catchphrase du jour. As was the case with "cloud" a few years ago and "data analytics" last year, every vendor on the show floor was hawking a product or service which claimed to increase my understanding of the bad guy and thus improve my ability to better defend my enterprise.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">As I began to dig into these products and query my fellow practitioners, I became concerned about what the vendors were calling intelligence and the real value this latest array of tools and services would (or would not) provide. Many of my discussions quickly focusd on the concepts of intelligence and intelligence collection and how to apply these to concepts practically. While it's been years since I worked in Army Intelligence, some lessons certainly spill over into the corporate world. Allow me to share some of my thoughts on these concepts for your consideration...</div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><i>Intelligence Defined.</i> With the term threat intelligence being widely (overly?) used these days, it's worth stepping back and understanding the difference between data, information, and intelligence. <i>Data</i> are facts; they are immutable and unchangeable. <i>Information</i>, simply put, is data in context. <i>Intelligence</i> is information that is extracted and revealed from an analysis of given data and information.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Confused? Let me give you an example. Take the number <a href="tel:3015178088" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="0">3015178088</a>. This number is piece of <i>data</i>, devoid of any context. We can attempt to provide some context to this data in an attempt to provide some level of <i>information</i> to the reader. Examples:</div><div style="text-align: justify;"><ul><li>3,015,178,088 -- a number in excess of three billion</li><li><a href="tel:30151-70808" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="1">30151-70808</a> -- an overseas telephone number, most likely European</li><li><a href="tel:(301)%20517-8088" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="2">(301) 517-8088</a> -- a North American phone number</li></ul>As you can see, adding context to the data provides different <i>information</i> to the consumer.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">In this particular example, the North American telephone number is the correct context. Now let's provide additional data/information to the reader:</div><div style="text-align: justify;"><ul><li>301 is one of the area codes for Maryland</li><li>I lived in Maryland from 1995 to 2003</li></ul>Given these pieces of data and information, you might be able to extract the <i>intelligence</i> that the phone number listed was one of my old phone numbers. That piece of information is not stated anywhere within the provided data/information, but through simple analysis and some deductive reasoning, it can be extracted with a reasonably high level of confidence. Consumer organizations regularly extract "business intelligence" from data collected with member loyalty programs in an attempt to focus its markting and sales efforts with laser-like precision -- <a href="http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/" id="id_72a4_4eea_9bb_4249" target="_self">occasionally to the point of becoming quite intrusive.</a></div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><i>Actionable Intelligence Collection</i>. In order for intellignce to be actionable (i.e., result in the abiliity for me to do something better/smarter/differently/more effectively than I am at the moment), the intelligence collection effort within the enterprise must be organized and deliberate. Intelligence collection is more than information gathering/information consumption; it requires the enterprise to remain focused on fanatically answering three seemingly simple questions:</div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><ul><li><u>What do I need to know</u>? What are the most important questions for you to get answered? In the military we referred to these questions as <i>priority intelligence requirements (PIRs)</i>. Intelligence collection efforts should be focused on answering these questions first and foremost. Note that determining these questions may be simpler than you think. I remember an intelligence exercise from my GI days involving the transport of relief supplies into a fictional European country via military convoy. As the exercise assumed a hostile force which occassionally disrupted transports along the one major highway into the area, the #1 PIR each was always "Is the road open for travel?" I would imagine that some of the PIRs for most enterprises would be equally straightforward. Some examples:</li><ul><li>Are bad guys in my environment right now?</li><li>Is sensitive data leaving my environment in an unauthorized fashion?</li><li>Which bad guys trying to get into my enterprise? </li><li>Where are the most likely/most vulnerable attack points?</li></ul></ul><ul><li><u>What is the best way to get the answers I need</u>? Folks, PIRs can (and should) be answered by a multitude of sources. These include (but are not limited to)</li><ul><li>News reports</li><li>Existing enterprise tools </li><li>Communications via professional organizations</li><li>Organizations which monitor threat activity regularly (CERTs, ISACs)</li></ul></ul><blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;"><div style="text-align: justify;">While a "threat intelligence" platform or service, properly constructed, might provide indications and warning about an iminent attack it may be argued that existing sources of data from within the enterprise are better suited to determining the current state of attack <i>if properly monitored and utilized</i>. Indeed, focused monitoring and analysis of open-source information providers may provide reasonbly accurate and timely indications and warning of threats and attacks against the enterprise.</div><div style="text-align: justify;"><br></div></blockquote><ul><li><u>What do I intend to do with the intlligence gathered</u>? Intelligence collection should not be an academic exercise. Answering your PIRs should drive action within your environment. If fulfilling a PIR does not drive even a minimal course correction on the actions and activities of the enterprise, then you need to consider whether or not you are answering the right questions...or whether or not you need to adjust you efforts down to that which is actionable within your current culture. This last phrase may seem like an anathema to the security professional, but given limited resources we must constantly balance our collection efforts against our execution priorities lest security become simply an academic exercise.</li></ul><div style="text-align: center;">* * * * * </div></div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Given the aforementioned definitions, many of the "threat intelligence" products and services being advertised today provide threat <i>information</i> versus threat <i>intelligence</i> -- i.e., they are providing yet another credible data/information source to the enterprise defenders versus true intelligence. While this data source may be more focused and more useful than other data sources available, without an understanding of organizational PIRs this data source becomes yet another firehose of "stuff" which the security team must consume lest it drown. Worse, without an ability to guide and focus collection efforts across the enterprise the security team may be looking for indications & warning regarding attacks from largely ineffective (and probably expeensive) sources. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Threat "intelligence" products and services do have a place within the enterprise...but only if the enterprise is prepared to utilize and absorb the information provided in a cogent and thoughtful manner. While the temptation to garner information from closer to the bad guys is appealling, having yet another firehose to drink from will only hasten the drowning if you're not careful.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">My two cents...</div><div style="text-align: justify;"><br></div><div style="text-align: justify;"><br></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0tag:blogger.com,1999:blog-997315269912926632.post-45818950947467666882014-03-01T12:26:00.001-08:002014-03-01T20:42:33.171-08:00A Three-Pronged Approach to Protection<div style="text-align: justify;">In the wake of recent merchant breaches, I have found myself on an increasing number of calls with customers, reporters, and business leaders from various industries. Invariably, the questions asked all boil down to one overarching interrogative: "How do we avoid becoming the next breach victim?" After I attempt to calm nerves and reiterate that there are no silver bullets out there, my answers tend to center around three fundamental areas that I offer up to you for critcism or comment. Here goes...</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">1. <i style="font-weight: bold;">Be Harder Than The Other Guy</i>. Folks often ask me whether or not they should put the alarm sign in front of their house when they buy an alarm service. My answer to them is "yes, absolutely!" Most burglaries and break-ins are by amatuers looking for easy targets and/or targets of opportunity. While the alarm sign will alert the 1% who are specifically aiming to break into <b>your</b> house to cut the phone lines, it will also steer the remaining 99% to your neighbor's house if your neighbor doesn't have an alarm sign posted. No alarm equals an easier target, so becoming a harder target than your neighbor is an attack deterrent. The same principle applies in cyberspace. If your protections and controls are preceived to be more durable and more resilient than your competition, it stands to reason that the bad guys will attempt to acquire data from the weaker target instead of attempting to breach the harder target. We can see this occurring in a strategic fashion if we step back and observe the class of businesses that hackers are attacking; instead of focusing predominantly on financial institutions and payment processors, we have seen concerted efforts against merchants, contact centers, and other potential 3rd party "aggregation points" for data. Even within certain classes of targets, there is value in informing your adversary -- in general (but not opaque) terms -- of the strength of your protections in order to discourage attack. (<i>Note</i>: Those of you reading this post who have some military experience will recognize this approach from your unconventional warfare training; if you think about it for a bit, you'll see that the same principles apply when facing off against the hacker community :o) )</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">2. <i style="font-weight: bold;">Be Best-In-Class At Incident Response</i>. If you accept the premise that even the most prepared defenses will be breached -- and they will, believe me :) -- then the ability to identify, contain, and eradicate the threat as early as possible becomes critical. There are statistics out there which state that the average time between infection by a sophisticated attacker and its detection in the network can be measured in months if not years. Investing in the technologies and the personnel needed to shrink this window is a critical step in breach avoidance. Note that investing in personnel does not just mean headcont; more importantly, it means training and education to improve general security knowledge; an understanding of the threat; and critical thinking skills. This training needs to go beyond just those within the security team but to all members of the extended incident response team. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">3. <i style="font-weight: bold;">Add Threat Intelligence To The Mix</i>. If this year's RSA Conference is any indication, the importance of understanding one's adversary has come back into the forefront of the security discussion. This will be considered good news by those who have long stated that we have become so process and business focus that we have diluted our understanding of hard-core security. Still, I wonder how many people understand the difference between threat <i>information</i> and threat <i>intelligence</i>. True threat intelliegencce, in order to be useful to the enterprise, requires an understanding of what knowledge is of paramount use (priority intelligence requirements); what the best sources are for obtaining that knowledge (collection management); and what actions need to be taken based upon the information obtained (risk management planning). In the absence of these key components, threat information becomes yet one more firehose from which the the security team must drink from whilst attempting not to drown.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">While these answers may provide small comfort to organizations looking for quick-fix solutions, they represent the basic building blocks for moving toward a risk-based security program. Consider using these concepts when discussing security needs with your business leaders. Enjoy!</div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com1tag:blogger.com,1999:blog-997315269912926632.post-82952907324045988012014-02-19T18:49:00.001-08:002014-02-19T18:51:16.186-08:00Eulogy to Windows XP<p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"><i>(The following eulogy was written by Sam Marshall from Treca Educational Solutions. Enjoy! -K)</i></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> <o:p></o:p></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Many of you may have heard that Windows XP will soon see retirement and no longer receive updates or support from Microsoft. </span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">So let’s take a moment to remember Windows XP:</span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;"><br></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"></p><ul><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">When Windows XP was released on October 25th, 2001, President George W. Bush had not yet completed his first year in office.</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">The minimum amount of RAM to run it was 64MB; the iPhone 5s comes standard with 1GB which is 16x more powerful</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">When Windows XP was launched there was no Facebook, Twitter, or Pinterest</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Businesses wanting to install windows XP could prepare 6 FLOPPY DISKS to install the operating system on systems that did not have a CD-ROM drive.</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">By January 2006 over 400 Million copies had been sold.</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Microsoft Officially ended sales of Windows XP on June 30th 2008 -- over 5 and a half years ago!</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Microsoft has released 3 newer Operating Systems after Windows XP</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Even in 2014 Windows XP is being used on nearly 30% of the world’s computers. Many of these sytems are ATMs, and Point-of-Sale devices.</span></li><li style="text-align: justify;"><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">Microsoft will end support of Windows XP</span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;"> </span><a href="x-apple-data-detectors://15" x-apple-data-detectors="true" x-apple-data-detectors-type="calendar-event" x-apple-data-detectors-result="15" style="-webkit-text-size-adjust: auto;">on April 8, 2014</a><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;"> </span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">(Less than 60 days away)</span></li></ul><p></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> <o:p></o:p></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Why should you care?<o:p></o:p></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> <o:p></o:p></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">If you, your friends, or your family run Windows XP know that after <a href="x-apple-data-detectors://16" x-apple-data-detectors="true" x-apple-data-detectors-type="calendar-event" x-apple-data-detectors-result="16">April 8th</a> these systems should no longer be considered secure. Microsoft will no longer release security patches or updates for Windows XP. </span><span style="-webkit-text-size-adjust: auto;">These updates are like vaccines and Microsoft ending support means no more vaccines will be made to keep your system healthy.</span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;"> (</span><i style="-webkit-text-size-adjust: auto;">note: Microsoft is offering some level of continued patching suport for businesses, but the pricepoints are punitive. No such support has been planned for individual consumers to my knowledge)</i><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">. </span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> <o:p></o:p></span></p><p class="MsoPlainText" style="text-align: justify; margin: 0in 0in 0.0001pt;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Sadly there are no easy solutions. </span><span style="background-color: rgba(255, 255, 255, 0); -webkit-text-size-adjust: auto;">The only options available are to update to a new operating system or purchase a new computer if your current one cannot run a newer version</span></p>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com1tag:blogger.com,1999:blog-997315269912926632.post-79686723203390600712014-02-16T15:51:00.001-08:002014-02-16T16:04:50.450-08:00Blinded (and Bitten) by Compliance<div style="text-align: justify;">I have remained silent on issues of security as we entered the new year, and many of my readers have asked me why. With the plethora of merchant breaches that hit the news during the holiday seasion, surely I had an opinion (or six) on the topic...so why not share them? The reason was simple: there were already way too many "experts" and pundits providing comment with minimal information that adding one more voice to the fray would most likely be counterproductive. The merchants who were breached have been vilified in the press and had their collective competence unfairly questioned by far too many people in far too many venues; anything I had to say (and much of it would be favorable to my security brethren) would merely add to the noise...and might be subject to misinterpreation by folks hungering for a story. Still, now that the media drama has subsided and we're into the "what must be done" phase of the crisis, I think its time for me to come up for air. While I don't wish to continue "making glue" out of well-flogged security issues, there is one area that I believe bears a tad more exploration: the PCI-DSS and its role within payment security. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Earlier this month, Bob Russo of the PCI Council <a href="http://www.bankinfosecurity.com/interviews/pci-council-responds-to-critics-i-2175/op-1" id="id_ea27_c089_e3de_ac20" target="_blank">formally responded to criticisms</a> of the PCI-DSS standard in the wake of recent breaches. Mr. Russo reminded nay-sayers that (a) there is no such thing as a silver bullet; (b) the PCI standard represents an "excellent line of defense" in terms of security; and that (c) it is not the job of the PCI Council to enforce merchant or banking institution security. In short: the recent merchant breaches do not represent a failure in the PCI-DSS but rather a breakdown in security controls within the respective institutions.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Hmmm....</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">I remember working as a CISO in the mid 2000s during the early days of credit card breaches. I remember watching a couple of television commercials sponsored by all five major credit card brands touting the safety and sanctity of credit cards payments. Every time I saw one of these commercials I noted to my colleagues that I felt the credit card companies were "running scared" from regulation in light of the then-current state of breaches; I was curious as to what the card brands would propose to fend off the spectre of further regulatory oversight. The very next year, PCI-DSS came into being. More prescriptive and detailed than HIPAA, the PCI-DSS had more teeth than existing federal mandates given the ever-looming possibility of losing the ability to process electronic payments transactions. During this time, the card brands feverishly campaigned to anyone who would listen about how PCI-DSS would collectively raise the bar in how credit card processes were secured and inject peace of mind back into transactions.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">The security community willingly and eagerly jumped onto the compliance bandwagon, touting HIPAA, PCI, and GLBA whenever possible. "At last," the community said, "we have a useful arrow in our quiver." Security was either the law of the land or a regulatory requirement for business. We hitched our programs onto these regulations and laws with reckless abandon, eschewing the nay-sayers (yes, I was one of them) who touted the regulations yet cautioned that they could become yet another brand of FUD (fear, uncertainty, and doubt) if we linked our programs too closely to them. Years would pass before we would come to realize that by equating security to compliace we risked watering down our programs to the minimum necessary controls required to obtain a compliant state. It would be even more years before we recognized that the final determination of legal and/or regulatory sufficiency often did not reside within security but with the offices of the corporate attorney.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">At the end of the day, any security professional has to agree with the statements made by Mr. Russo. Any assessment against regulation is a point-of-time view of an organization, and while the DSS is an excellent standard it mightn't be suffient to ensure security of all critical assets within the envirionment. Worse, if security controls are not monitored and appropriately enforced then even the most robust ecosystems will beome vulnerable. In defending the PCI-DSS and its viability, Mr. Russo has merely restated a tenet that security professionals started saying en masse several years ago: compliance does not equal security. My minor umbrage, if you will, to Mr. Russo's comments stems from the fact that the security community's late realization of the aforementioned tenet was one of the contributors to the successful marketing of the PCI-DSS as a standard of excellence for security. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">One cannot help, as a community, feeling partially thrown under the "blame bus" by an ally. </div><div style="text-align: justify;"><br></div><div style="text-align: justify;">Mr. Russo's interview should hopefully represent a wake-up call for those still focused on compliance instead of security. Anyone struggling with their leadership to focus on holistic, risk-based security versus compliance should use Mr. Russo's interview as a reminder of the role -- an limits -- of compliance within one's security program.</div><div style="text-align: justify;"><br></div><div style="text-align: justify;">My two cents...</div><div style="text-align: justify;"><br></div>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com1tag:blogger.com,1999:blog-997315269912926632.post-66456554522508896332013-12-04T15:58:00.001-08:002013-12-04T15:58:37.233-08:00Millions of Gmail, Yahoo, Twitter, and Facebook Passwords Stolen<h2 style="margin: 0px; padding: 0px 0px 20px; border: 0px; outline: 0px; vertical-align: baseline; font-weight: normal;"><font size="3"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week.</span></font></h2><p style="margin: 0px; padding: 0px 0px 20px; border: 0px; outline: 0px; vertical-align: baseline;"><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);">The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers. You can read the details of the breach </span><a href="http://money.cnn.com/2013/12/04/technology/security/passwords-stolen/" id="id_e34_acb0_fece_6243">here</a><span style="-webkit-text-size-adjust: auto; background-color: rgba(255, 255, 255, 0);"> but you should change your passwords as soon as possible. on these services. Spread the word!</span></p>Anonymoushttp://www.blogger.com/profile/10556330682717646220noreply@blogger.com0