No Compliance is Good Compliance

The US Government is getting ready to pass the Cybersecurity Act of 2012.

In this 205-page bill is legislation mandating that entities deemed “critical infrastructure” meet security standards set by the government, including the Department of Homeland Security. The proposed law “is the product of three years of hearings, consultations, and  negotiations,” the intent of which is to secure systems which “if commandeered or destroyed by a cyber attack, could cause mass deaths,  evacuations, disruptions to life-sustaining services, or catastrophic damage to  the economy or national security.”

Like all other compliance mandates, it will fail.

Now let me first say that I am in no way anti-government (except in April), nor would I like our electrical grid, nuclear plants or water distribution facilities left exposed. However, government mandates are unlikely to solve the problem.

Why?

  1. Compliance Mandates are Latent – By definition, compliance regulations are developed and implemented after a threat has been identified. Add to this inherent issue the time it takes for a bureaucrat to understand and measure risk, hire analysts to author a bill and weave it’s perceived benefit into their re-election strategy, we’ve left any potential legislation years behind its need. Compliance is not timely, nor can it be.
  2. Compliance Mandates are Optional – For compliance requirements to be truly successful, all entities subject to regulations would be complying in some way. Unfortunately this isn’t the case, nor is it realistic. Asking the Government to audit all organizations would require armies of people and even bigger piles of money. Some regulations have introduced self-assessments to ease this burden, which has only led to inconsistency in reporting and implementation. Ever heard of anyone going to jail for HIPAA violations? Compliance is not mandatory, nor can it be.
  3. Compliance Mandates are Vague – Anyone who has read the HIPAA Administrative Simplification or FFIEC Guidance knows that the Government is good at telling you what to do, but not how. And honestly, they really can’t be. How could such a broad technical standard be developed for so many different organizations? It might feel a little Draconian if the Feds told you exactly what directory services to use for authentication. Add to this challenge differing interpretations, language and changes in technology. Compliance is not prescriptive, nor can it be.

Despite its good intentions, compliance does not bring security. In fact, it may be having the exact opposite effect. In a recent survey, security administrators found themselves spending  between 25 and 100 percent of their time on compliance efforts, all while databreaches were increasing at their organizations.

So what’s the answer?

Let’s trade compliance for security. Rather than penalizing those that aren’t in compliance, how about rewarding those that are secure? If we took the billions that the government spends every year on HIPAA, FISMA, SSAE16, FFIEC, SEC, FIPS, DHS, TSA and the thousands of other regulatory bodies, their audits, personnel and other perfunctory functions and instead spent that on real security education for the right people, we’d be far ahead of where we are today.

If they wanted to go the extra mile, Lieberman and Company could help organizations implement metrics to tell how well they were performing against their security programs. If they wanted to get real fancy the Government could subsidize real risk assessments for organizations in “critical infrastructure”. They’d probably still have money left over for tracking terrorist hashtags on social media.

For most of us, compliance is here to stay. The question is – just how far from real security will it diverge?

Just ask TJX, Heartland or Sony.

2012
02/20
CATEGORY
General Commentary
TAGS


Write comment

Tales From the (Unen)Crypt

Yesterday I was waiting in the lobby of one of our larger clients as I had arrived a bit early for a meeting. I was doing something really useful on my BlackBerry to kill time when a thirty-something year-old woman walked in and approached the receptionist. To protect the not-so-innocent, we’ll refer to her as Jane.

What I’m about to tell you is a true story.

Jane: “Hi, I’m here to see [name deleted] but I think I may be in the wrong building.”

Receptionist: “OK, where do you think you’re supposed to be?”

Jane: “Hold on let me call my office and I’ll find out.”

Jane now steps away from the receptionist desk, pulls her mobile phone from her purse and immediately begins dialing her office for information. She reaches someone who appears to be her assistant, given the following conversation. We’ll make some assumptions about the Assistant’s dialogue.

Jane: “Hi [name deleted] can you do me a favor? I need you to access my calendar to see where my meeting is this morning, I think I’m in the wrong building.”

Assistant: “No problem Jane! How do I get access to your calendar?”

Jane: “My password is ‘Password1′ with a capital ‘P’. Yeah I know it sucks.”

Assistant: “OK well I can’t get to your calendar from my PC.”

Jane: “Yeah you can use my PC, I never lock it.”

Cue Quentin Tarantino soundtrack, an ultra-closeup of highly polished men’s dress shoes as they one-by-one, shuffle towards a thirty-something woman in a black suit, the staccato click of their heels shattering the deafening silence now engulfing the steel and glass lobby, cut to a super-tight shot in slow-motion of a GreyCastle Security business card being drawn from inside suit pocket -

“Hey Reg! Sorry I’m late.”

As I’m snapped from that dreamscape carved straight from a Hollywood set, I realize that we can’t save everyone, and not everyone wants to be saved.

I hope Jane made it to her meeting on time. I hope she changed her password when she got back to the office and has started locking her PC. And her phone. I hope the title on her business card doesn’t say Comptroller. I hope Jane doesn’t have to learn the hard way that just a little bit of security can go a long way.

I hope.

2012
02/09
CATEGORY
General Commentary
TAGS




Write comment

What I Would Do if I Was Zappos

The Zappos hack this week made national headlines for a number of a reasons.

First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.

Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.

But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.

Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.

This is what I would do if I were Zappos:

  1. I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
  2. I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
  3. I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
  4. I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.

It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.

Maybe Zappos should start selling eyewear.

2012
01/18
CATEGORY
General Commentary
TAGS












1 comment

Weaponized Software – The New Assassin

There has been a lot of press lately regarding the assassination of Iran’s top nuclear scientist, or more accurately – the way in which the assassination was conducted.

On Wednesday, January 11, as the USS John Stennis and three other carrier battlegroups arrived in the Gulf region, two anonymous hitmen rode up alongside the Peugeot 405 being driven by Mostafa Ahmadi-Roshan and “pasted” magnetic shape charges to the cabin exterior. They exploded seconds later, destroying the interior of the vehicle and leaving their surroundings untouched.

This bold, high-tech act comes on the heels of two other attacks, both aimed at disabling or stalling Iran’s nuclear capabilities.

The first is a series of suspicious explosions at Iran’s nuclear facilities, one of which killed another top scientist. These explosions were documented by US satellites which clearly demonstrate the origin and impact of the blasts. These explosions occurred “around the time” that Iran was found to have in its possession an RQ-170 stealth drone.

It is suggested that the Lockheed Martin RQ-170 Sentinel is designed primarily for reconnaissance. Of course it’s 66 feet wide and weighs close to 10,000 pounds. That’s one mighty big camera. Oh and it also has modular bays that can be adapted for “strike missions”.

The second is a high-tech operator that executed missions on the ground. Using covert tactics and the latest intelligence, this foot-soldier infiltrated Iran’s top-secret nuclear facilities and quietly disrupted core processing. Rapidly moving from reactor to reactor, this highly trained assassin combined speed, stealth technology and the latest weapons to sabotage Iran’s nuclear capabilities.

It wasn’t until the damage was done that this assassin was given a name.

We called him Stuxnet.

Now we can speculate whether or not Israel or the United States was behind Stuxnet, but one thing has become alarmingly clear – someone wants to destroy Iran’s ability to produce nuclear assets and weaponized software was a key component of the campaign.

Stuxnet, at its time hailed as the most sophisticated piece of malware ever conceived, dawned a new era. It was not the first time that cyberwar had been waged, but it was the first time that cyber was elevated to that rarefied ether of air, land, sea and space. Even the decompiled code was classified for a time.

Today, nation states are hard at work developing weaponized software that will disable their enemies’ critical infrastructure, destroy military intelligence and render nuclear and other traditional weaponry useless. Cyberwarfare is young, but maturing in dog years. Stuxnet already has one child, and they’re multiplying fast.

In October of 2011, it was made public that the United States Air Force experienced an outbreak of malware on a network associated with assets used to control drones in the Mideast. The origin of the malware was never declassified, nor was the resolution of the incident. Some of us thought that perhaps it was a US Government concoction once again targeting Iran that escaped the labs.

  1. Step 1: Build Malware
  2. Step 2: Infect Drone
  3. Step 3: Crash Flying USB Stick in Iran and Watch From Satellites as it Blows Up Nuclear Plant

Looking forward, it’s clear that software has become part of our military arsenal. We will continue to see more frequent headlines telling stories of cyberattacks on military installations, cyberespionage and weaponized software. Let’s remember that just as China and other countries have stolen our blueprints for drones, tanks and fighter aircraft, they have also built their own cyberweapons.

For now though, I’d turn down that job as an Iranian nuclear scientist.

2012
01/16
CATEGORY
General Commentary
TAGS





Write comment

Life or Death Decisions in Information Security

On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.

The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.

A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.

While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.

There are no absolutes in our business.

One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.

On the street it can get you killed. In the workplace the worst is usually termination of a different sort.

And sometimes it’s hard to know what side you’re on.

Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were - yet they became victims because they didn’t practice what they preached.

On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.

Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.

What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.

There are no absolutes in our business.

Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.

Great security providers will be able to do all of that while taking enemy fire.

2011
12/31
CATEGORY
General Commentary
TAGS






1 comment

Security Resolutions for 2012

When most people think of resolutions for the upcoming year, they think about gym memberships and Nicorette.

We think about advanced malware discovery.

Now to be completely honest, those of us at GreyCastle Security do think about things other than information security. We like Indian food. And a good drum solo. But when it comes to making meaningful changes for 2012, we’re all business.

Without doing a whole lot of bragging, 2011 has been a good year for us. But like any business, you must adapt or suffer the consequences. And in this industry, things change rapidly. Threats, vulnerabilities, budgets – even our clients and prospects.

So as December fades into January, or as we call it – Strategic Planning Season – we’re performing a little field surgery on GreyCastle Security. Some of it is cosmetic. Some of it is orthopedic. All of it will help us be even better in 2012 than we were in 2011.

Here’s a preview;

  1. We’re going to assess our services. Today we offer world-class services that deliver real results. The frameworks and methodologies that we utilize are effective and consistent, hardened and trued over the years by experts with decades of experience. This is our strength. And potentially our weakness. The world is changing, and so is the perception of information security. In 2012 we will develop ways to position and deliver our services that challenge the traditions that we lean on.
  2. We’re going to assess our pricing. Our current pricing is fair and balanced and provides clients with convenient options. But it may not accurately represent the value of the services that we deliver. Over the next few months we will revisit our pricing to ensure that both GreyCastle Security and our clients are experiencing maximum ROI.
  3. We’re going to assess our competition. Today we have no direct competitors. Tomorrow that advantage could vanish. National providers, IT VARs, independent consultants and others all see the opportunity in information security, and they want a piece of the rapidly growing pie. Our lead on these entities is substantial, but we must be strategic in our thinking and tactical in our advances if we are to maintain this lead.
  4. We’re going to assess the enemy. More accurately, enemies, some of which are working for the good guys. In this battle we are being flanked on all sides by hackers, malicious insiders, well-meaning employees, nation states, compliance requirements, security vendors, the government – the list is long. And we will keep our sights trained on the true enemy – risk – and continue to deliver services that effectively reduce risk for our clients.
  5. We’re going to assess our brand. Success requires many skills and attributes, none more important than trust and integrity. We will infuse these characteristics into everything we do. And the world will know we are GreyCastle Security.

We have seen countless predictions of what 2012 will bring; increases in mobile malware, a predilection for the cloud, the rise of targeted attacks and continued security unawareness.

For those who recognize the need for adequate protective measures these are simply challenges to be met by a solid business plan and security fundamentals.

For the rest of you, may I suggest an updated resume. :)

We wish you a healthy and prosperous New Year.

2011
12/27
CATEGORY
General Commentary
TAGS

Write comment

A Blast of Fresh Holiday Security Cheer

The holiday season is a great time of year, one of my favorites. Cookies and mistletoe, decorations and caroling, the festive spirit always brings out the best in people.

I’m kidding about the caroling, but the holidays definitely put me in a good mood. Everything looks brighter, and my attitude is more positive. I generally feel better about life, even if circumstances haven’t changed.

So I suppose it’s no surprise that I’m here to provide each of you with a fresh perspective on your information security headaches. Yes, I’m sure you’ve all had serious problems this year – technical, financial or operational – and you’re expecting more in 2012. But now is a time for reflection. A time for renewal. A time to forget old acquaintance, and auld lang syne.

Consider it my gift to you.

So get yourself a warm cookie and a chilled goblet of your favorite Christmas cheer, and grab a cozy in front of the fireplace while I attempt to make eggnog out of rotten security eggs.

  • You’re only as bad as your last fail – We’re all human, and we all have the same defensive mechanisms. This means that, in general people will only remember your last disaster. So cheer up! The SQL injection flaws you left exposed in April don’t matter anymore, all that matters today is the massive databreach from November. Tomorrow is a new day.
  • The good guys will always be behind – By definition, we will always be in reactive, defensive mode, but that’s OK! If you do the math you realize that they can’t get all of us. Also, we may be losing the race but there are only two runners so we’re guaranteed second place. That’s a silver medal in some contests.
  • There are no guarantees – There is no such thing as 100% secure – so find comfort in that fact. The day I gave up thinking I would ever dunk a basketball was a happy day, I just didn’t know it yet. Mediocrity can be invigorating if given a chance and approached with the right perspective. You’re as likely to secure your enterprise as I am to dunk a basketball. Enjoy.
  • It’s always going to be this bad – Things in the information security Universe are frighteningly bad, but it’s always been this way and it always will be. So relax – there’s no sense killing yourself over something you have little control over. Read a book. Go to lunch. Or even better, get your Law degree and save your career.
  • Everyone else has problems, too – If all of the above attempts to freshen your perspective have failed, rest easy – the bank across the street really has it bad. So does the hospital you go to. And the fast food chain where you had lunch today. Oh and don’t forget about your car dealer, your kids’ college and your church. And every other business within visible range. In fact, you’re probably no worse off than anyone else. So take a deep breath and revel in the fact that everyone sucks at security.

By now you’re probably ready to build a snowman and donate your bonus to charity, so I’ll let you get back to your holiday preparations. Just remember that there’s a bright side to information security and there’s no better time than the holidays to celebrate that fact.

I feel better already.

 

2011
12/22
CATEGORY
Other
TAGS


Write comment

Information Security – How Much is Enough?

Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?

Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:

  1. How secure am I?
  2. Am I more secure than I was last year?
  3. How much should I be spending on security?

Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.

Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.

Enter security metrics.

Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.

Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.

To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.

The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.

The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.

Here are some metrics to consider:

  1. Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
  2. Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
  3. Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
  4. Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
  5. Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?

The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.

(For some other ideas, check out the CIS Consensus Information Security Metrics)

Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.

Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”

2011
12/12
CATEGORY
Security Practices
TAGS











Write comment

Security is a Myth

If you own a printer or a smartphone, you’ve probably done some rethinking about a few things over the past week or two. The recent rash of headlines to hit the mainstream media have produced much speculation, misinformation and meetings with Congress, but they have been successful in reaffirming one thing:

Security is a myth.

On the surface, the act of collecting semi-personal information about our calling habits and surreptitiously shipping this data off to mobile phone carriers is bad. At a minimum, having 140 million printers and multifunction scanners and faxes on our networks that are vulnerable to attack is bad.

But the real problems go much deeper.

Consider that our mobile phone carrier told us all about CarrerIQ, but we didn’t care. Yes, it’s right there in the fine print. Very fine. Our End User License Agreement told us that they were going to steal our personal information and use it to analyze our usage habits, and then we happily signed the paperwork. We had a chance to say no, but we either didn’t care, didn’t take the time to understand the security implications, or made the decision to trade our personal data for convenience.

We do it every day.

We should also consider that Angry Birds isn’t much different than CarrierIQ, and the information is going to a pretty-much-unknown-third-party. Our names, addresses, possibly even our GPS coordinates given the appropriate permissions. Yet we happily trade that information for a few minutes of enjoyment.

It’s bad that smartphones are shipping off our personal information, but it’s much worse that we said it’s OK.

And we introduce hardware and software to our work environments in the same manner. Hardware and software that was never designed to be secure. Sophisticated multifunction devices that host web servers and command shells that accept software updates and connections from anyone. These devices are like hacker outposts.

It may be bad that these devices are vulnerable, but it’s much worse that they have access to all of the other assets on our networks.

If you want to know what it’s like to attempt security in today’s world, try jumping into a pool without getting wet. The odds are the same. Everything around us is vulnerable, from our resumes to our Facebook walls, from our mailboxes to our personal interactions. The true saving graces are that there are always less secure entities than you and there are only 24 hours in a day.

Now if this sounds a bit cynical, please don’t misinterpret: I believe that good will always prevail over evil.

We just might get a little wet along the way.

2011
12/06
CATEGORY
Rants
TAGS




Write comment

Why Hackers are Winning

Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.

Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.

In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.

Bold.

But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:

  1. Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
  2. Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
  3. Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
  4. Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
  5. Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
  6. Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.

Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.

We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.

Perhaps we should also suggest that clients look to hackers when developing their business plan.

2011
11/21
CATEGORY
General Commentary
TAGS










Write comment