Wednesday, February 19, 2014

Eulogy to Windows XP

(The following eulogy was written by Sam Marshall from Treca Educational Solutions.  Enjoy!  -K)

 

Many of you may have heard that Windows XP will soon see retirement and no longer receive updates or support from Microsoft.  So let’s take a moment to remember Windows XP:


  • When Windows XP was released on October 25th, 2001, President George W. Bush had not yet completed his first year in office.
  • The minimum amount of RAM to run it was 64MB;  the iPhone 5s comes standard with 1GB which is 16x more powerful
  • When Windows XP was launched there was no Facebook, Twitter, or Pinterest
  • Businesses wanting to install windows XP could prepare 6 FLOPPY DISKS to install the operating system on systems that did not have a CD-ROM drive.
  • By January 2006 over 400 Million copies had been sold.
  • Microsoft Officially ended sales of Windows XP on June 30th 2008 -- over 5 and a half years ago!
  • Microsoft has released 3 newer Operating Systems after Windows XP
  • Even in 2014 Windows XP is being used on nearly 30% of the world’s computers.  Many of these sytems are ATMs, and Point-of-Sale devices.
  • Microsoft will end support of Windows XP on April 8, 2014 (Less than 60 days away)

 

Why should you care?

 

If you, your friends, or your family run Windows XP know that after April 8th these systems should no longer be considered secure. Microsoft will no longer release security patches or updates for Windows XP.  These updates are like vaccines and Microsoft ending support means no more vaccines will be made to keep your system healthy. (note:  Microsoft is offering some level of continued patching suport for businesses, but the pricepoints are punitive.  No such support has been planned for individual consumers to my knowledge)

 

Sadly there are no easy solutions.  The only options available are to update to a new operating system or purchase a new computer if your current one cannot run a newer version

Posted by at 1 comment:

Sunday, February 16, 2014

Blinded (and Bitten) by Compliance

I have remained silent on issues of security as we entered the new year, and many of my readers have asked me why. With the plethora of merchant breaches that hit the news during the holiday seasion, surely I had an opinion (or six) on the topic...so why not share them?  The reason was simple: there were already way too many "experts" and pundits providing comment with minimal information that adding one more voice to the fray would most likely be counterproductive.  The merchants who were breached have been vilified in the press and had their collective competence unfairly questioned by far too many people in far too many venues;  anything I had to say (and much of it would be favorable to my security brethren) would merely add to the noise...and might be subject to misinterpreation by folks hungering for a story.  Still, now that the media drama has subsided and we're into the "what must be done" phase of the crisis, I think its time for me to come up for air.  While I don't wish to continue "making glue" out of well-flogged security issues, there is one area that I believe bears a tad more exploration:  the PCI-DSS and its role within payment security.   

Earlier this month, Bob Russo of the PCI Council formally responded to criticisms  of the PCI-DSS standard in the wake of recent breaches.  Mr. Russo reminded nay-sayers that (a) there is no such thing as a silver bullet; (b) the PCI standard represents an "excellent line of defense" in terms of security; and that (c) it is not the job of the PCI Council to enforce merchant or banking institution security.  In short:  the recent merchant breaches do not represent a failure in the PCI-DSS but rather a breakdown in security controls within the respective institutions.

Hmmm....

I remember working as a CISO in the mid 2000s during the early days of credit card breaches.  I remember watching a couple of television commercials sponsored by all five major credit card brands touting the safety and sanctity of credit cards payments.  Every time I saw one of these commercials I noted to my colleagues that I felt the credit card companies were "running scared" from regulation in light of the then-current state of breaches;  I was curious as to what the card brands would propose to fend off the spectre of further regulatory oversight.  The very next year, PCI-DSS came into being.  More prescriptive and detailed than HIPAA, the PCI-DSS had more teeth than existing federal mandates given the ever-looming possibility of losing the ability to process electronic payments transactions.  During this time, the card brands feverishly campaigned to anyone who would listen about how PCI-DSS would collectively raise the bar in how credit card processes were secured and inject peace of mind back into transactions.

The security community willingly and eagerly jumped onto the compliance bandwagon, touting HIPAA, PCI, and GLBA whenever possible.  "At last," the community said, "we have a useful arrow in our quiver."  Security was either the law of the land or a regulatory requirement for business.  We hitched our programs onto these regulations and laws with reckless abandon, eschewing the nay-sayers (yes, I was one of them) who touted the  regulations yet cautioned that they could become yet another brand of FUD (fear, uncertainty, and doubt) if we linked our programs too closely to them.  Years would pass before we would come to realize that by equating security to compliace we risked watering down our programs to the minimum necessary controls required to obtain a compliant state.  It would be even more years before we recognized that the final determination of legal and/or regulatory sufficiency often did not reside within security but with the offices of the corporate attorney.

At the end of the day, any security professional has to agree with the statements made by Mr. Russo.  Any assessment against regulation is a point-of-time view of an organization, and while the DSS is an excellent standard it mightn't be suffient to ensure security of all critical assets within the envirionment.  Worse, if security controls are not monitored and appropriately enforced then even the most robust ecosystems will beome vulnerable.  In defending the PCI-DSS  and its viability, Mr. Russo has merely restated a tenet that security professionals started saying en masse several years ago:  compliance does not equal security. My minor umbrage, if you will, to Mr. Russo's comments stems from the fact that the security community's late realization of the aforementioned tenet was one of the contributors to the successful marketing of the PCI-DSS as a standard of excellence for security.   

One cannot help, as a community, feeling partially thrown under the "blame bus" by an ally.  

Mr. Russo's interview should hopefully represent a wake-up call for those still focused on compliance instead of security.   Anyone struggling with their leadership to focus on holistic, risk-based security versus compliance should use Mr. Russo's interview as a reminder of the role -- an limits -- of compliance within one's security program.

My two cents...

Posted by at 1 comment:

Wednesday, December 4, 2013

Millions of Gmail, Yahoo, Twitter, and Facebook Passwords Stolen

Hackers have stolen usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week.

The massive data breach was a result of keylogging software maliciously installed on an untold number of computers around the world, researchers at cybersecurity firm Trustwave said. The virus was capturing log-in credentials for key websites over the past month and sending those usernames and passwords to a server controlled by the hackers. You can read the details of the breach here  but you should change your passwords as soon as possible. on these services.  Spread the word!

Posted by at No comments:

Sunday, December 1, 2013

Security Tips for Cyber Monday

I am a seasonal retailer's worst nighmare...

...I am a consumer who shops for Christmas well before the holidays. 

I've never done a Black Friday nor a Cyber Monday shopping extravaganza;  by this time of the year I am focusing on decorating the house, writing Christmas cards, and swinging by the local supermarket to pick up some gift cards as stocking stuffers.  The idea of queuing in lines for hours and then fighting over towels is as bewildering to me as staying up until midnight in front of a computer screen to snag an online deal.  Nevertheless, millions of consumers in the US will engage in these post Thanksgiving rituals with eageness and zeal.  

This year several prognosticators are anticipating more retail revenue generated on Cyber Monday than on Black Friday.  In anticipation of this onslaught, many in my professsion are reemphasizing the importance of protecting yourself while online shopping.  There are several decent articles out there with lists of good practices (you can find two of them here and here)...but one more can't hurt.  

Here are my Tips for Safe Cyber Shopping:
  1. Patch Your Systems.  Sounds simple, doesn't it?  Still many personal computing devices and applications remain unpatched and vulnerable (as this year's data breach reports point out   Again.).  Patch the O/S.  Patch applications.  Update your virus software definitions...and run a thorough scan of the system before your start surfing.  
  2. No-App Monday.  Cyber Monday is not the day to download new apps or ringtones onto  your personal device.  Expect an onslaught of "new" or "discounted" apps to hit the app sites, offering you every convenient phone functionality you can think of.  While many of these might be legitimate, a significant percentage will not be.  Remember that the easiest way for the bad guy to get into your systems is for you to willingly let him in.  Downloading an app opens your front door to the cyber crook.  
  3. Ignore Pop-Ups.  Do not respond to any pop-up window offering your additional discounts/savings/deals simply by clicking on the window.  
  4. Know Your Retailers. If you are going to shop online on Cyber Monday, do so with retailers that you know and have done business with before.  Cyber Monday is not the day to "try out" a new online retailer or a known retailer's new online functionality.  Also, remember to check the URL of any known retail site that you visit by hovering over the link or inspecting the full URL in the browser windor.  Look at the beginning of the string and make certain that the site you are on is the correct one (e.g.:  amazon<dot>com versus amaz0n<dot>com).  Do not assume that you will recognize a phony website just by surfing it;  scammers have become quite proficient at creating professional-looking sites.
  5. Manage Your Risk.  Limit the amount of risk you incur when shopping online by controlling the dollar amount that the bad guys are exposed to.  Using credit cards is the most popular method of mitigating this risk, but not the only way.  PayPal is, by its design, a risk-limiting method of payment and is also effective.  You can also get creative with your banking instruments and designate one checking account/debit card for online shopping and only populate that account with the monies necessary to pay for your online purchases.  
  6. Password Sunday.  Scammers are looking for access to your accounts and data as well as your financial instruments.  If you shop online on Cyber Monday, consider doing a full-fledge password update and lockdown the day before.  Most individuals use the same password for multiple accounts...and (as recent breaches continue to show) most of these passwords are extremely weak.  If a scammer utilizes Cyber Monday activities to gain access to your system, having strong individual passwords stored in a secure offline container may slow down the potential damage that can be done.  Given the plethora of passwords that most people need to remember, it would be foolish of me to tell you not to capture them somewhere; be smart/prudent re: where and how you store them, though.  Personally, I am a fan of KeePass which I store on an IronKey that I keep in my firebox...though there are less-paranoid and less technical solutions.
  7. Remember Barnum.  P. T. Barnum is often credited with saying that "There's a sucker born every minute."  Scammers and criminals live by this philosophy.  If something sounds too good to be true, it probably is.  Be skeptical of "dream" deals and discounts.  Do not go down the rabbit hole of exploring such deals, regardless of how tempting they are.  Remember, it only takes a nanosecond to compromise a system.   
(Historical note:  for the purists out there, I am aware that Barnum never said the aforementioned maxim;  go here if you want the correct reference.  Yes, I have friends who will obsess over that point [squirrel!])

Hope this helps.  Please feel free to pass this along to your friends.  Safe shopping, all!
Posted by at 1 comment:

Saturday, November 23, 2013

Vendor Kabuki

Recently, a good friend of mine and longtime CISO left the chair to become the chief security strategist at a well-known security technologies company. A few weeks after that transition, my buddy and I sat down for a long overdue dinner with some friends. During the meal we discussed the transition from responsible charge to vendor. My colleague was less than thrilled at all aspects of the transition.

"Overnight I went from being a respected colleague to 'just another vendor,'" my colleague complained. "I'm no longer allowed at CISO events; I am no longer eligible to sit in CISO-exclusive meetings; professional organizations that I have supported for years treat me like a second class citizen; and folks whom I interacted freely and openly with won't return my calls.  Why is it that CISOs treat vendors like dirt?"  

As I about to respond, another colleague of mine who had crossed over to the vendor side nodded her agreement. "You're an anomaly, Kim," she asserted.  "You treat vendors as partners; most of your peers treat us like dirt."

I admit that I was taken aback by these comments...but only a little.  Vendor opinions of me tend to be decidedly bipolar.  My style of engagement tends to be direct and pointed;  While many vendors enjoy this honest dialogue, many more have found me extremely "difficult" to engage with. I didn't pursue the conversation over dinner (I was the only non-vendor at the table and my colleagues were in full rant mode :) ), but I did spend some time mulling over the problem.  

Like most relationship challenges, the problems with the vendor/CISO relationship are two sided.  I would posit that the CISO portion of the relationship dysfunction centers around something I like to call the egoism of motivation.   In an earlier blog post, I posed the question of why security professionals do what they do.   While I left the question open ended, I would submit that the majority of us walk the path we do for semi-altruistic reasons.  While our careers tend to be fairly lucrative these days, most of us end up fighting an uphill battle for resources and understanding with those who would quickly turn us into scapegoats should an adverse event occur.  Yet despite this environment we keep going back into the fray with zeal, passion, and dedication.  We are not cops or soldiers, priests or firemen...but at some visceral level we do share the same passion for service and making a difference as those in the aforementioned professions.  In this context, it is at times difficult to engage with those whom purport to understand our concerns yet do not share our motivations.  CISOs have no objection to money or profit motives -- hell, I have a kid in college and am all about not having my paycheck bounce :)  That being said, it is at times vexing to engage in conversations about a tool or service with vendor personnel who don't share your motivations; who don't necessarily have similar experiences; and who seem more concerned about acquiring your (very) limited dollars versus resolving your near and long term challenges.  

Even for those of us who manage to get past our own egoism, there still exists the challenge of vendor-CISO communication.  Several years ago I came across a webinar by Paul Glen, author of the book Leading Geeks.  In this webinar, Mr. Glen discussed seven "contaxioms"  -- axiomatic ideas and/or concepts for which geeks and non-geeks have contrasting ideas.  Glen's 6th contraxion -- one which I feel is especially relevant to the topic -- centers around the concept of lying. For the geek:

-Lying is evil;  truth is sacred.
-Answering yes to a question when you don't absolutely know if something is true is a lie.
-Exaggeration and opinion stated as fact are lies.

For the non-geek:

-Lying is not good;  it is bad manners.
-Answering yes to a question that you know is false is a lie.
-Exaggeration and opinion stated as fact are simply a part of normal speech.

With such a disconnect in terms and terminology, the CISO oftentimes finds it daunting to trust that which he hears from his vendor brethren.  Our axiomatic differences leave us at an impasse whereby our vendor brethren are often perceived as disingenuous in their dialogue...and the time it takes to determine the proper questions to ask to get to the level of detailed, accurate data desired is time taken away from our daily missions of protection and enablement.  Just yesterday one of my esteeemed colleagues said at a conference:  "Every time a vendor speaks to someone in my organization I lose a week's worth of work getting to the truth behind the sales pitch."

With these types of cultural dynamics at play, it is easy to understand why CISOs and vendors operate at best under a gaurded truce...but it doesn't have to be that way. Indeed, both vendors and CISOs would benefit from an attitude of true partnership on both sides of the equation.  As a CISO, I operate with certain guidelines when dealing with vendors:

-1.  Be Plain Spoken.  Understand what requirements you are trying to fulfill, and communicate them directly. As part of that communication, ensure your vendor understands whether your engagement is exploratory; whether you are trying to fulfill a short term spend; or whether this will be a long term process happening within the next fiscal year.  Your vendors, like you, also have requirements they need to fulfill;  it is disrespectful of their time and mission to have them spend months with you for a supposed potential sale when in reality you have no intention of making a purchase.

-2.  No Loss Leaders.  While I admit freely that I will always try to obtain services as cheaply as possible, I recognize the vendor must make a profit.  I do not insist upon loss leaders or additional free services from a vendor in order to close a deal.  If offered, I will accept them...but I do not make or break deals based upon the amount of free stuff I receive.

-3.  Respect Vendor Budgets.  This one plays in the realm of both ethics and mutual respect.  Vendors will regularly offer up dinners, tickets, etc. to get your attention or your time.  Notwithstanding appropriate legal and corporate guidelines for accepting such gifts, I make it a practice not to accept such offers if (a) I am not interested in the product or (b) I have no budget for such products. 

The vendor reps with whom I operate best also understand my expectations of them:

-1.  Be Plain Spoken.  I would rather be told "No, I can't do that," than have someone tell me that their service or product meets a need of mine that they are not equipped to perform.  Don't attempt to put a square peg into a round hole for the sake of  a near term sale.

-2.  Focus on the Long Term.  While I respect your near-term quota, I am looking for vendor partners who understand my long term needs and constraints.  Don't sacrifice a long term relationship for the sake of a sale.

-3.  Deliver.  Do what your say you are going to do...and ensure your products do what they say they will do, as well.  I expect this level of discipline and results from staff;  I should expect no less from my vendors.

I have met a handful of vendors (Anna, Ed, Gabi, J.R., Jason, Joel..and the late Ryan Richard) who understand and operate comfortably within these expectations.  In return, I have developed strong partnerships with these individuals and the companies they represent. Indeed, as these individuals have moved from company to company they have opened doors to their new products to me;  any company that would employ vendors of their caliber clearly has highly ethical business practices.  These individuals get my most valued resource -- my time -- freely.  Conversely, I have met a plethora of vendors who refuse to be straightforward; who don't deliver on promised functionality; and remain primarily concerned about making a quarterly quota.  These vendors are either relegated as afterthoughts in my strategic planning...or are removed from my environment along with their products.

While I might be considered an anomaly to my vendor collagues, I have found the aforementioned vendors to be anomalies amongst their profession as well. Indeed, I reminded my CISO-turned-vendor that his new company (which had a reputation for arrogant, bullying marketing tactics) only hired him after the better part of a decade in the security space.  Could it be that their incentive is due to having achieved a certain market saturation that they cannot move beyond without a  long-overdue change in approach?

Vendors and CISOs do need to reevaluate their relationship if the collective profession is to improve.  Both sides have work to do in strengthening our ties if we are to succeed.

My two cents...

Posted by at No comments:

Sunday, November 17, 2013

Preparing for Black Friday and Cyber Monday

If you don't know who Dan Lohrmann is and you work in security, you're truly missing out. Dan is CISO for the State of Michigan and is one of the thought leaders of our profession. Early on, Dan's leadership challenged him with the classic "figure out HOW instead of telling me NO" dilemma -- and he rose to the occasion with some innovative approaches and solutions.  Dan is a regular speaker and blogger on the business of security and is worth listening to.

What I love about Dan is that he never forgets that security is a personal matter. Addressing security issues and challenges as relate to individuals is just as important as looking at holistic, enterprise technical issues.  In his latest blog post, Dan gives us a "good, bad, and ugly" look at some of the pitfalls and benefits of Black Friday and Cyber Monday shopping.  Definitely worth your perusal...and worth sharing with your friends, colleagues, and security constituents.  You can find Dan's article at this link.  Enjoy!
Posted by at No comments:

Monday, November 11, 2013

Solving the Identity Problem

Just last week I ran across an article regarding the FIDO Alliance.  FIDO -- which stands for "Fast Identity Online" -- was created about 18 months ago to address the problem of a lack of interoperability amoungst strang authentication standards/controls/technologies online.  The typical solution to this problem has been multiple authentication credentials...which has lead to weak passwords and the use of a single password across multiple accounts (both conditions which actually weaken security).  The FIDO alliance seeks to correct this problem by promulgaring strong open authentication standards which can be utilized across multiple technologies on multiple platforms.  Currently the FIDO Alliance has begun conformance and interoperability testing for its Universal Authentication Framework and Universal Seconf Factor products

So...why should we care?  Several reasons:

  • The FIDO Alliance has attracted some heavy hitters in the heavily-regulated payments industry such as Mastercard, PayPal, and Oberthur Technologies
  • Michael Barrett, former CISO of PayPal, is president of the alliance.  Love him or hate him, Mr. Barrett has always taken a thought-leading approach to security issues.  He's worth listening to/paying attention to.
  • Multiple passwords are the bane of a security professionals' existence, yet we haven't yet solved the problem;  the Alliance's structured approach signals a beginning to a potentially viable solution.
  • The FIDO solutions represent a potential beginning to the long talked-about concept of "bring your own IDENTITY" which has been banted about in recent months.  BYOI's problem centers around how we truly federate identity across disparate platforms and providers.  FIDO's standards an tools seek to solve this problem.  If they are even mildly successful, it could be a truly seed-changing leap in how we approach issues of security, authentication, and compliance.
Information about FIDO can be found here.  Keep an eye on these guys!




Posted by at No comments:
Subscribe to: Posts (Atom)