Archive | General Commentary RSS for this section

Smashing Pumpkins, Security Myths and Pretty Much Anything Else We Can Get Our Hands On

Hurricane Sandy, appropriately named after a slow-moving but powerful family member of yours truly, spent the last few days wreaking havoc on the East Coast.

And while some of us made it through with just a bit of sideways rain, I’m sure there are more than a few business out there putting a Business Continuity Plan on their “To Do” list this morning.

Better late than never, they say.

Or is it? After all, Upstate New York has experienced an earthquake, a tornado, epic flooding and two hurricanes in the past fifteen months. This in an area that is considered relatively protected from Mother Nature.

Maybe it’s time to rethink the “cross your fingers” Risk Management strategy. And just in time for Halloween.

Tonight, on All Hallows’ Eve, most of us will engage in some sort of ghoulish tradition, whether carving a pumpkin for the front stoop or trick-or-treating with the kiddies. And yet we know that most, if not all of these activities can end in some kind of trouble.

Chances are good that the creepy teenager down the block with the acne and the freakishly thick eyebrows is going to smash your pumpkin. Someone’s car is going to get a clean shave. And Mrs. McGillicutty’s willow tree is probably getting TPd.

But despite all of this, we trust our kids and neighbors to make it through the night without serious damage. We trust that things won’t get out of hand. Without trust that people won’t kill each other over a bag of treats.

We trust.

And in that apparent weakness lies one of our greatest strengths. In trust we gain the ability to go about our lives. To interact with others. To exist.

Without trust, we could not walk down the street at night without checking every dark corner. We couldn’t approach a stranger’s door without a background check. We couldn’t eat candy without inspecting every chocolatey bite.

Without trust, we could simply not function.

Trust is at the heart of every security model on planet Earth. Despite popular wisdom, the security controls that we put in place to protect our information, people and other assets imply some measure of trust in their relationships.

We trust that a firewall will disallow specific protocols on specific ports. If we didn’t we wouldn’t buy them. But like the creepy kid down the street, trust only goes so far.

At some point, you need to verify.

And what better time than Halloween for a lesson in verification? Whether it’s the batteries in your flashlight, the traffic crossing in front of your little Spiderman or the brastrap on your girlfriend’s Lady Gaga BaconSuit costume, some times you just need to verify.

Halloween is no time for a wardrobe malfunction.

Advertisements

The Walking Dead

It seems that everybody loves a good zombie apocalypse.

The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.

And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.

That being said, they haven’t exactly screwed everything up, either.

Let’s take a critical look at the team’s security strengths and weaknesses, zombie-style:

Strengths:

  1. Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
  2. Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
  3. Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.

Weaknesses:

  1. Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
  2. Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
  3. Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.

I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.

The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.

Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.

One way or another, we’re all going to end up a Rick or a zombie.

The choice is yours.

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

Calling All Social Engineers

A friend of GreyCastle Security stopped by this morning to discuss social engineering and how it can be used to improve audit programs.

This friend is an Auditor for a large state-run entity, and a wannabe pentester (tough to blame him).

Now I know what you’re thinking – why is an Auditor interested in social engineering?

I’m glad you asked.

First, we’ve seen many audits totally miss the mark by not including the people aspects of information security. In their defense, audits are typically based on compliance regulations or organizational policies, which miss the same mark.

But if you were an Auditor, where would you focus?

On the countless firewalls out there that are summarily bypassed by attackers, both expert and newb? Or the hordes of susceptible bank tellers, healthcare executives, students, IT administrators and other personnel targeted each and every day by cybercriminals all over the globe.

The answer is clear. Auditors need to be social engineers.

But that’s not as easy as it sounds. In our conversation today we talked about what makes a good social engineer. And the reality is, the best social engineers are born, not made.

That being said, social engineering skills can be taught and improved, even if your name doesn’t end in “Mitnick”.

So what are these skills?

The ability to improvise is critical. So is the ability to collect and leverage information about assets (people) to your advantage. And last but not least, the ability to maintain cool under pressure, especially when being challenged.

A good social engineer is generally good at getting out of tickets, into the VIP and around the rules. If you panic when trying to get away with a duplicate grocery store coupon, it might not be for you.

So if you’re comfortable impersonating someone you’ve never met, that may not even exist, to gain confidential intel or compromise an asset for the betterment of the greater good – all while smiling – we may be looking for you.

After all, the human side of information security is quite possibly the most important, and most misunderstood, of all.

Next month is National Cyber Security Awareness Month. Stay tuned for a whole month of interesting thoughts, trends and tips for securing human beings.

Remembering 9/11

For most, if not all Americans, today is a special day.

Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.

Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.

And yet, that’s all they are.

In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.

Ask someone if they would rather text while driving or face a terrorist.

Yet texting while driving has killed twice as many people this year than terrorists.

So why aren’t we afraid of texting in a moving car?

The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.

It makes us really bad at judging risk sometimes.

Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.

We didn’t think terrorists would fly planes into buildings.

Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.

Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.

Security is “No Easy Day”

The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.

In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.

The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.

The Pentagon claims that it contains “sensitive and classified” material. You may argue that the very honor, ethics and cultural values of America’s elite fighting force has also been compromised.

But this debate goes beyond disclosure of classified information, which is a crime.

These types of disclosures have very real parallels in information security, as well.

Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.

The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.

Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?

Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.

Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?

The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.

During times of peace, they are surpassed only by the plans for war.

Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.

And if nothing else, it has brought visibility to the importance of Operational Security.

Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.

Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.

In Security We Trust

The American Presidency is designed to disappoint.

After watching much of the Republican National Convention (mostly online, God bless the Interwebz), I am truly prepared for an underwhelming four years.

This is in small part due to the fact that my candidate is behind in the polls and unlikely to win the election. But also consider this;

For the past year we’ve been inundated by candidates from all parties with promises of change and other transformative programs that will take America in the direction necessary for prosperity, safety, international diplomacy and the future development of our nation.

Each candidate has made promises to improve the economy, education, healthcare and human welfare, our international citizenship, critical infrastructure and more.

Candidates have regaled their programs’ unique features, and proclaimed how they are exclusively qualified to carry out these duties.

And irrespective of which box you check on your Voter Registration Card, you’ve invariably heard about how one political party is superior to the other.

But the truth is, no matter who makes it into the White House – Obama or Romney, Democrat or Republican – they will fail to deliver on their promises.

And this is as it should be.

You see the Founding Fathers were pretty smart dudes, and they knew a little something about security. They could see Obama and Romney coming a mile away, and they knew that the rhetoric of change was just that.

So they instituted a system of checks and balances. They created institutions that limited the President’s power to specific charges and duties.

They built a system of trust that ensured the President’s ability to control was dependent upon what Congress, the Supreme Court, the Federal Reserve Board, other nations and reality will allow him.

In fact, one of the most important security controls we use today – segregation of duties – is built into the Constitution and nearly every other important document that this country was founded on.

So on election day, let’s all take a deep, collective breath.

You may take the Presidency seriously, but rest assured that regardless of who wins, our forefathers were smart enough to neuter the CEO of America.

To Train or Not to Train, That is Not the Question

Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.

Citing the  “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.

If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.

Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.

Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:

  1. Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
  2. Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
  3. The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.

Fighting cybercrime is a $400B industry, and we’re just getting started.

So now ask yourself, what – or better yet who – are you trusting to protect your assets?

I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.

Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.

Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.

Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.

Today, you are wasting your money.

Tomorrow is another day.

Flame and the Impending Inferno

Earlier this month, security media were ablaze with news of the freshly discovered Flame malware toolkit, which according to reliable sources began infecting Iranian computers as early as 2008.

Since the first reports, we’ve learned more about Flame, its capabilities and intent. The results of this analysis have been impressive and sobering.

Like its alleged sibling, Stuxnet, Flame is highly sophisticated, purpose-built and effective. As someone who spent many years in software development, I appreciate what it takes to write code for many platforms and devices while minimizing flaws. The authors of Stuxnet and Flame deserve credit for this, if nothing else.Image

Unlike Stuxnet, Flame is a toolkit – a veritable Swiss Army knife – of attacks that can be activated remotely by its command and control operator. The Flame payload is delivered such that all of the modules are available and integrated into the initial assembly, with no additional download or communication required.

Bluetooth sniffing, keylogging, an Autorun infector, the ability to hijack the Windows AutoUpdate function and more – up to twenty unique modules – all nicely packaged in one nefarious kit.

With all of this, Flame may have supplanted Stuxnet as the most complex and sophisticated piece of weaponized software ever developed in the [known] history of mankind.

But as powerful as Flame seems, the economic ecosystem on which its built may be even more interesting.

For decades, Microsoft, Adobe, Google and Oracle have been recruiting, paying for and getting the absolute best and brightest software designers, architects and developers on the planet. Until now.

In this post-neo-infosec-challenged world that we live in, the uber-software Gods work for the bad guys.

You may not put it on your CV or LinkedIn profile, but if you want a fun, exciting, incredibly well-paying job writing the newest, coolest and most coveted code on the planet, move to Romania and hook up with a Russian cybergang.

And it gets worse. As these malicious international software factories become more successful, they get richer, they buy better people and the cycle repeats.

Over the past several weeks the FBI, Interpol and other international law enforcement agencies arrested twenty-four individuals suspected of various card fraud schemes and activities. Suspects were spread out across thirteen countries around the world. One of them was arrested less than 45 minutes from GreyCastle Security headquarters.

None of them were software developers.

The people most typically being arrested for online crime are the individuals using the tools, not the ones building them. No, these digital mercenaries are tucked safely away in their posh Baroque villas on the outskirts of some small town in Estonia, busy writing their next module and withdrawing laundered cash from untraceable bank accounts.

And the hits keep coming. And the fire burns brighter.

Flame may just be the spark that starts the inferno.

Indian Food, Spartacus and Credit Card Fraud

Friday night was date night.

After five weeks of client meetings, traveling and conferences without a single day off, I was looking forward to a relaxing evening with my girlfriend enjoying some Indian food and downtime. We had been looking forward to fully exercising a $25 Groupon on a table-full of exotic curries and then catching up on one of our favorite new series.

The meal did not disappoint. We left properly stuffed and excited for the rest of the evening’s activities – three episodes of Spartacus.

As we walked home we noted how beautiful the evening had become. We made it to the block where I live when my girlfriend noticed something interesting on the ground. We stopped to take a closer look.

It was the customer copy of a credit card receipt.

Upon closer inspection we discovered that this was no ordinary receipt. In addition to the full credit card number, it had the CVV, expiration date, zip code, phone number, full name and customer signature.

And amazingly the retailer managed to write down the customer’s CVV and expiration date but not the total. You can’t make this stuff up.

Here it is, blurred for confidentiality.

As you can see it contains everything necessary to commit identity theft and card fraud, with the possible exception of one piece of data – the customer’s billing address. So I did what any self-respecting security professional would do – I called and asked for it.

The conversation went something like this:

“Daniel [name changed to protect the guilty] I live in [city deleted] and I found a credit card slip with your name on it. I’m really scared that someone will use it to steal your identity, if you give me your address I’ll send it to you.”

Of course, Daniel assumed that because I already had his name and number and that I appeared to be a good Samaritan, that I was worthy of his home address. This is exactly how card fraud is taking place at restaurants, retail stores and hotels across the country.

This is not just Daniel’s problem. Merchants are instructed to not write additional information on receipts for this very reason. The merchant where Daniel used his card is a prominent and highly regarded institution in the Capitol Region. Just like the Desmond.

This week I plan to send Daniel his receipt, along with a note to be more careful. Not just with his credit card and receipts, but with the information that he gives out over the phone. I was a good Samaritan, but the next person may not be.

I may also give the merchant a call and offer free advice on avoiding public relations nightmares.

And then I’ll just sit back and wait for the good karma to roll in.

%d bloggers like this: