Thoughts on The Irari Rules

I’ve had the pleasure of knowing Ira Winkler and Araceli Treu Gomes for over a decade now.  Both are quality and insightful security professionals who raise the bar within our industry.  As such, I’ve enjoyed reading their joint commentaries on various security issues and challenges over the past few months.

Winkler and Gomes’ latest contribution to the fight are “The Irari Rules” (named after a combining of their first names).  The relevance of the Irari rules re: determining the true technical attack sophistication cannot be overstated;  it is easy for business leaders and other technology professionals to talk about a new level of sophistication in attacks when in reality we are seeing increased efficiencies and volume around highly predictable (and preventable) attack vectors.  That being said, Winkler and Gomes take a slight – and, in my opinion, erroneous – detour in their conclusions which may obscure some of the important messaging we all need to hear.

Think about what the Irari rules are advocating for a second:

• Use anti-virus or anti-malware software
• Patch your systems
• Use multi-factor authentication
• Change passwords frequently
• Create detailed, realistic, holistic education programs
• Turn on and monitor your alert mechanisms
• Segment your networks
• Aggressively manage user accounts and their privileges

None of this is rocket science -- nor is it anything that we as security professionals haven’t been saying for the better part of two decades, with arguably the same level of mixed (poor?) results.  Yet clearly something has changed within the ecosystem given that (a) the number of compromised records per breach has increased exponentially; and (b) concern regarding breaches has entered the mainstream consciousness.  So if it’s not the sophistication of the technical attack…what’s going on?

Winkler and Gomes posit that the “new normal” for organizations should be to “expect to be targeted by people with more than a trivial level of skills and the time and resources to search for blatant vulnerabilities.”  This would seem to support an argument for the efficacy of a more sophisticated attacker as opposed to a more sophisticated attack – which results in higher levels of risk overall to an organization.   Remembering the basic risk multiplicative of (T)hreat x (V)ulnerability x (A)sset-Value, a more sophisticated threat can make better use of existing vulnerabilities than casual aggressor.  Continuing the lock analogy used in their article, the issue isn’t whether the door is locked or not as most security is rarely so binary a calculus; rather, it’s the newness and maintenance of the locks in place.  While these locks may be sufficient to stop an opportunistic intruder, a focused intruder with moderate skills could defeat these locks (single factor authentication; static passwords; etc.) with relative ease.

There’s another factor in the risk equation that Winkler and Gomes have failed to consider:  asset value.   While consumers have not yet fully rationalized their willingness to achieve convenience and personalized service via providing personal data with their concerns over its use, the value of data to both individuals and corporations has increased dramatically.  As the value and proliferation of data within organizations increases, the security professional must reevaluate whether the locks remain sufficient and are sufficiently maintained to mitigate risks within the environment to an appropriate level. 

Winkler and Gomes conclude that “(c)laims of sophisticated attacks deflect blame, obscure the need to make improvements and attempt to shirk responsibility for implementing poor security efforts.” In this I agree…but only to a point.  Yes, claims of sophistication can contribute to obscuring the need for improvements, but the argument for improving programs isn’t in the elimination of obscuration but the removal of our profession's own obfuscation of risk issues.  Fundamental blocking and tackling within a security program is essential, yes...but even the best managed programs can’t bring risk to zero.  As we do the blocking and tackling to eliminate vulnerabilities, it is equally critical to acknowledge attacker (versus attack) sophistication as well as the marked increased in asset value regarding data.  In this environment, yesterday’s locks and windows (read:  yesterday’s security program implementation) won’t keep the bad guys away.

My two cents…

Security Awareness: Changing User Behavior Reduces Overall Risk

Last week I was asked to participate in a webinar regarding security awareness and its efficacy within the workplace. I and my fellow panelists -- Sam Masiello of Teletech; Michael Angelo of NetIQ, and Joe Ferrara of Wombat Security -- had a lively and wide ranging discussion of the benefits, pitfalls, and challenges of security awareness.  If you're inerested, the webinar is available for playback at this link.  Note, you'll be required to register at the site before viewing/listening.  

Enjoy!

"What Keeps You Up at Night?"

Recently I was asked by SecureWorld to write an article responsind to the question, "What keeps you up at night?" Like most security professionals, I get asked that question quite a bit in various contexts.  

My answer to this question tends to be somewhat unorthodox, but it brings a perspective to the problem that I believe we Warriors of the Light should contemplate and consider.  My full response can be found here on the SecureWorld site.  Give it a read and let me know what you think!

It Is Still All About The Business

Two weeks ago,m Baseline Magazine published the results of a survey regarding executives' views toward the CISO position.  The results were less than encouraging:

• 74% of the C-Level executives surveyed believe that CISOs should not be a part of organizational leadership teams
• 44% view the primary role of the CISO as "being accountable for any organizational data breaches."

These results are not surprising to most practitioners.  In many companies, the title ‘CSO’ stands for “chief scapegoat officer” even to this day.  CSOs and CISOs live in fear of the inevitable breach, because such an event will lead to accusations and recriminations versus investigation and remediation.    Ironically, this attitude by the organization's executives actually reduces the efficacy of the security team.  In addition to creating an undertone of survival and us-against-the-world within the CISO organization, the senior security executive now feels compelled to spend a goodly portion of their time covering themselves (i.e., "creating the paper trail") and focusing on tactical issues versus strategically driving the security program.

While many of my brethren will focus on the aforementioned results, this survey reveals a more telling statistic: 68% of the executives surveyed feel CISOs lack broad awareness of organizational objectives and business needs. Despite our best efforts, and despite certifications that preach otherwise, we are clearly failing to adequately link ourselves to the businesses we support.  While there are no silver bullet answers out there, here are a couple of tips and pointers that I've found effective in bridging the "business gap" over the years:

• Ask The Key Question.  When I assume the role of CSO/CISO in any organization, I make it a point to meet every business line leader and their direct reports within the first two weeks of my arrival.  The first question that I pose to each of them is always the same:  "How do you make money?"  Not "what do you do for a living," but how does that business unit generate revenue for the organization?  When they answer me, I keep probing and asking questions until I truly have at least a high-level understanding of the services and products offered and how they contribute to the company's bottom line.  Once you understand how the business makes money, it becomes exponentially easier to understand where security controls are appropriate -- and, more importantly, the potentially negative impact a specific control can have on the revenue picture.  

Note that I used the terms "money" and "revenue" instead of "profit."  Even non-profit and not-for-profit organizations generate revenue to pay the bills.  While the mission/purpose of any organization is critical, that mission must generate some level of revenue in order to succeed at its efforts.

• Have A Strategy.  Sounds simple, right?  Yet to this day a significant portion of CSOs do not have a documented strategy.  Those who have documented their strategies tend to link their objectives solely toward risk reduction and mitigation versus achieving the business' objectives -- which leaves an impression with executives that security is something that they "have to do" that is diverting expenditures away from revenue-generating efforts.

I'm an old Common Criteria (CC) tester and evaluator.  The one thing that I loved about the CC was its structured approach regarding requirements.  Functional requirements led to technical functional requirements which in turn logically led to security functional requirements.  I take a similar approach when structuring my strategic imperatives.  The business wants to do something; that "something" will require a specific operational and technical capabilities.  Creating those capabilities at a risk level consistent with current risk levels requires us to enable/enhance/create these specific security capabilities.  This linkage helps intrinsically tie your security endeavors to the business.  

Understand that there are times that you will need to drive compliance and/or risk reduction activities purely for the sake of compliance/risk reduction;  but never forget that being compliant is a business requirement and that you are reducing risk to a level acceptable to the business.  Say those things in your strategy.

• Educate Your Teams.  You can't be the only one that understands the business;  every member of your team needs this level of understanding as well.  Not only will it change the optics re: your team as they interface with the business, but it will also enable them to bring more business-appropriate solutions to the table as they problem solve in the security space.  

It would be easy for us to make a bit of a chicken-and-egg argument here and claim that we security warriors can't start thinking strategically and better integrate security with the business because we fear recriminations when something goes wrong. If this survey is any indication, though, we are collectively limiting -- if not damaging -- the profession by not aggressively focusing on relating our activities to the our organizations' strategic imperatives.  If we are living in an era where massive breaches are becoming commonplace and we cannot guarantee that  a breach will not occur, then a lack of a strategically-driven security program that is intrinsically linked to business objectives only justifies the opinions listed above.

My two cents...   

The Impact of Situational Privacy

Pop quiz today!  Which of the following situations is a violation of privacy:

 

• A national retailer utilizes purchases you make with them to send you advertisements about products you might enjoy or need
• A reputable search engine utilizes data about you from previous searches and other products to better tailor its content to your needs
• A government entity utilizes data in the public domain to hone in on potential criminals.

 

If you answered anything but "it depends" on this quiz, you haven't been following the nuances of the privacy debate lately :)

 

Let's get a little deeper into each of these examples for just a moment:

 

• In 2012, Target came under media scrutiny for using data analytics to predict which of its shoppers might be pregnant.  The retailer then began sending coupons to those shoppers for things like baby clothes, strollers, etc.  The story made news when one Minnesota father noticed that his teenage daughter was receiving these materials.  The irate father marched into a local Target, demanding to see a manager, and accused the retailer of attempting to encourage his daughter to get pregnant…only to find out from his daughter that she was, indeed, already pregnant.  Target's analytics had identified her pregnancy before her own father had known. 
• Just last month, Amazon.com celebrated its 20th birthday.  One of the features this massive online retailer is known for is utilizing knowledge of your shopping habits to send you advertisements about products and services which you might enjoy.  As of this year, Amazon is exploring pushing the envelope around this concept and has taken a patent out on what it is describing as "anticipatory shipping."  Utilizing the data it already has about you, the mega-retailer intends to just start sending you items which it believes you want before you purchase them, arguing that the success rate of its algorithms is such that the number of returns would not exceed the benefits reaped by this level of customer service. 
• Several years ago, people started noticing that their search engines -- in particular, Google -- were displaying different sets of results for the same question.  Upon further exploration, people discovered (realized) that most search engines utilize data from your location and your browser history to better customize answers for you.  Providing such customization makes it easier to retrieve more meaningful results for the consumer which shortens search time…and also makes it easier to tailor advertisements to the consumer that s/he might be interested in.  The downside, of course, is that it may also be masking important yet contradictory information that is relevant to the individual's search -- thus reinforcing research bias.  (Note:  you can turn off "search customization" (as Google refers to it), but it's difficult to find out how if you go onto their support site. The link above also provides information on how to disable search customization relatively easily.)
• In June 2013 Edward Snowden exposed the NSA's domestic cellular collection program.  The general public was outraged that the government would utilize cellular metadata (such as location information) to spy on its citizens; however, these same citizens exhibited no qualms about carrying a device which regularly broadcasts location nor the use of that location data by other governmental entities and agencies.

 

The examples above are illustrative of the complexity around privacy.  Gone are the days when we could simply state that "<x> data is private"; indeed, we are moving more to an environment of "situational privacy" where the data itself isn't as much an issue as how the data is used.  Consumers freely and openly volunteer exabytes of data on a daily basis for seemingly innocuous transactions…yet they are regularly shocked and angered as this data is combined with other seemingly innocuous (and freely given)  pieces of data to provide predictive intelligence to marketers, corporations…and yes, to  government entities.

 

As security professionals, we are becoming more embroiled in the debate around privacy.  Remembering that privacy itself is impossible without appropriate  security controls, the situational nature of data mining and appropriate data usage makes the protection  equation  daunting.  Do we wrap a cocoon of Pentagon-level protection around the data lake, even though 99% of the data within it is considered publicly available?  Do we inject ourselves into the data analytics process and become part of the arbitration question re: should we use the data in a certain fashion?  Can we monitor and limit/restrict data combination similar to the way in which systems can monitor separation of duties access control issues? 

 

Let's take it a step further.  Remembering that corporate data analytics seeks to (among other things) improve the sales cycle and make marketing campaigns more efficient, imagine the implications if the bad guys choose to take such an approach.  Consider:  your systems are penetrated and data is stolen…but none of the data is regulated by current privacy law or regulation.  Six months later, the bad guys run data analytics against the acquired data and determine the best targets for fraud or scam.  You protected the data and your borders reasonably and can show a tiered approach to your controls…and those controls were appropriate for your environment…you even prevented the breach from reaching the most sensitive data stores…yet data stolen from you was used to target your customers in the same manner that your marketing and sales team target prospects.  Imagine the liability issues that will circulate through the courts.

As your organizations recognize the value of the data it holds, it is important that we as security professionals remind people of the larger risk & privacy landscapes out there.  We cannot rely solely on the legal/regulatory framework to guide us as the potential brand risks go beyond what the hodgepodge of privacy regulations currently address.  In most cases, you as the will be the first person to bring these concerns to light and as such will risk the possibility of being initially portrayed as  naysayers…but more often  the security warrior ends up prognosticating  future risks and challenges looming on the horizon.  As we continue to enable our businesses we must ensure that the aforementioned questions -- and dozens more -- are acknowledged and addressed by our business leaders.

 

My two cents…

Password Redux

Given the spate of security compromises that have occurred this past year, many of my posts have emphasized the need for aggressive password management.  Unfortunately, aggessively managing passwords comes with its own set of problems and challenges.  Here are a few tips and pointers to help:

• How Can I Tell If My Password Is Strong?  As a general rule, passwords are considered strong if they contain a combination of upper- and lower-case letters, numbers, and special characters.  Passwords should be at least 8 characters in length, as shorter passwords are exponentially easier to break.

If you want to get a sense of how strong your password might be, take a gander at howsecureismypassword.net   The site doesn't capture your password, but it'll give you a readout of how long it will take a standard modern PC to crack your password.  It's not mathematically perfect, but it can easily show you the difference just adding one special character or lengthening your password

• How Do I Keep Track of All My Passwords?  Remembering all those complex passwords is the biggest reason people reuse passwords or choose weaker passwords.   There are a handful of different things you can do to help with this problem:
• There are ways to construct complex passwords that make them less random and thus easier to remember.  There are several articles which lay out different schema.  Here's a link to one of the better ones.
• Place your password inside of a spreadsheet or document, then save that dcoument in password protected mode.  Then compress/zip that file using software which allows you to encrypt the file and password protect it (e.g.:  WinZip)
• There are a variety of password management tools out there which will store and protect your passwords for you on your computers and mobile phones.  If you go this route, though, ensure that your tool is reputable -- since bad guys will throw up faux "password management" apps as a method of stealing your passwords.  The reputable password management tools all have advantages and disadvantages;  this recent article reviews and compares them  all.  For free applications I like KeePass...but LastPass Premium ($12/year) is truly the gold standard for password management tools.

A reminder:  if you use a password management system ensure that the password for this system is as strong as you can make it.  That password is, quite literally, the key to your online kingdom.

Hope this helps!

Russian Hackers Amass Over 1 Billion Passwords

Many of you may have seen the recent announcement about a Russian hacking group amassing over a billion internet passwords from internet facing applications.  If you haven't, here's a link to the recent New York Times article

This hasn't generated a tsunami of chatter just yet but I am certain that many of you will have/face questions.  Based upon what little we know right now, here are some random thoughts and opinions.

• When In Doubt, Change Your Passwords.  Seems simple enough, but many people still do not do this with regularity.  Worse, many people use the same weak password for multiple accounts.  Changing your password to a strong, complex password that you haven't used elsewhere will eliminate the threat of compromised passwords.  Corporately, enforcement of password policies regarding complexity and periodicity of change will have the same positive impact
• The Announcement Timing Is Suspect.  Hold Security (the company that announced this finding) may be doing this for publicity.  Less than scrupulous security firms have often kickstarted their initiatives with a huge announcement like this as an entry into gaining traction in the market.  Add to that the fact that the Blackhat and Defcon Security Conferences are currently underway, and my suspicions become exacerbated.  Indeed, Forbes announced this morning that Hold is now offering a service "for as low as $120" to help you determine whether your password is on the list.
• We Don't Know The Important Stuff.  Yet.  Until we have more data (who/what/when/where/why) about this announcement, there's little anyone can do corporately/organizationally to protect themselves beyond changing passwords.  Indeed, this is little more a "the sky is falling" announcement as it is currently crafted.  What's would be more interesting is an understanding of what servers in what corproate entities were compromised to get this data.  If Hold Security chooses to release that information (and early indications are that they will not), then the impacted organizations will come under increased scrutiny and may trigger a need for security professionals to reassess their overall protection profiles.

Bottom line for this one -- for now -- is password management.  Only time will tell if we need to take a deeper look at the potetnial ramifications of this revelation.

My two cents...