The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.
In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.
The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.
But this debate goes beyond disclosure of classified information, which is a crime.
These types of disclosures have very real parallels in information security, as well.
Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.
The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.
Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?
Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.
Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?
The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.
During times of peace, they are surpassed only by the plans for war.
Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.
And if nothing else, it has brought visibility to the importance of Operational Security.
Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.
Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.
You just can’t make this stuff up.
Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.
A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.
They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.
I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.
My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?
I couldn’t help myself.
“Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.”
We would soon find out.
Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.
Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…
“021000322 XXXXXXXXXXXX XXXX”
Friday night was date night.
After five weeks of client meetings, traveling and conferences without a single day off, I was looking forward to a relaxing evening with my girlfriend enjoying some Indian food and downtime. We had been looking forward to fully exercising a $25 Groupon on a table-full of exotic curries and then catching up on one of our favorite new series.
The meal did not disappoint. We left properly stuffed and excited for the rest of the evening’s activities – three episodes of Spartacus.
As we walked home we noted how beautiful the evening had become. We made it to the block where I live when my girlfriend noticed something interesting on the ground. We stopped to take a closer look.
It was the customer copy of a credit card receipt.
Upon closer inspection we discovered that this was no ordinary receipt. In addition to the full credit card number, it had the CVV, expiration date, zip code, phone number, full name and customer signature.
And amazingly the retailer managed to write down the customer’s CVV and expiration date but not the total. You can’t make this stuff up.
As you can see it contains everything necessary to commit identity theft and card fraud, with the possible exception of one piece of data – the customer’s billing address. So I did what any self-respecting security professional would do – I called and asked for it.
The conversation went something like this:
“Daniel [name changed to protect the guilty] I live in [city deleted] and I found a credit card slip with your name on it. I’m really scared that someone will use it to steal your identity, if you give me your address I’ll send it to you.”
Of course, Daniel assumed that because I already had his name and number and that I appeared to be a good Samaritan, that I was worthy of his home address. This is exactly how card fraud is taking place at restaurants, retail stores and hotels across the country.
This is not just Daniel’s problem. Merchants are instructed to not write additional information on receipts for this very reason. The merchant where Daniel used his card is a prominent and highly regarded institution in the Capitol Region. Just like the Desmond.
This week I plan to send Daniel his receipt, along with a note to be more careful. Not just with his credit card and receipts, but with the information that he gives out over the phone. I was a good Samaritan, but the next person may not be.
I may also give the merchant a call and offer free advice on avoiding public relations nightmares.
And then I’ll just sit back and wait for the good karma to roll in.
In May of 2011, the Desmond Hotel and Conference Center in Albany, NY was compromised by an as-yet-unnamed foreign entity. Very little has been made public about the incident, and it’s possible that we will never know the true extent of the damage.
What we do know is that the credit and debit card numbers of every hotel guest from May 2011 to March 2012 were potentially compromised. At least one patron had their bank account drained.
Otherwise, it was just like the countless other breaches we’ve witnessed recently.
First, The Desmond had been compromised for nearly a year and didn’t know it. The Secret Service discovered evidence of the Desmond breach during routine investigations of foreign hackers and notified the hotel of their findings. We can only assume that the compromise would still be going on today if this stroke of luck hadn’t occurred.
Second, The Desmond didn’t have an Incident Response Plan. This is an assumption on my part, but one that I am confident in, given the post-event fallout. The incident, which could likely have been better contained, grew quickly and became a public relations nightmare that lasted for days.
Third, they didn’t think this could happen to them.
This is not a smear piece. The Desmond is my favorite hotel in the area, and one that we hope to make a client someday. Unfortunately, they became long-hanging fruit. They were simply the next target in a long line of victims, a queue that grows daily.
The Desmond made the news. 99% of breaches don’t. And it seems that until an organization experiences their own incident, there is little compelling them to protect themselves.
The industry, our peers, the media, the company where you work – all are providing us an education, but we are not learning from our mistakes. Psychology 101 teaches that human beings learn best when content is relevant, entertaining and interactive. It would seem that major public data breaches tick all of these boxes.
For now it seems the only thing that’s ticked is The Desmond’s customers.
The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.
Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.
Imagine what you could get done if you had your own Seal Team 6.
Think it sounds crazy?
On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.
Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.
Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.
And yes, you can have your own.
Here’s what you need:
- Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
- Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
- Train, train, train – Training is the most important of all, and it should incorporate the following:
- The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
- Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
- Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.
Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.
You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.
The US Government is getting ready to pass the Cybersecurity Act of 2012.
In this 205-page bill is legislation mandating that entities deemed “critical infrastructure” meet security standards set by the government, including the Department of Homeland Security. The proposed law “is the product of three years of hearings, consultations, and negotiations,” the intent of which is to secure systems which “if commandeered or destroyed by a cyber attack, could cause mass deaths, evacuations, disruptions to life-sustaining services, or catastrophic damage to the economy or national security.”
Like all other compliance mandates, it will fail.
Now let me first say that I am in no way anti-government (except in April), nor would I like our electrical grid, nuclear plants or water distribution facilities left exposed. However, government mandates are unlikely to solve the problem.
- Compliance Mandates are Latent – By definition, compliance regulations are developed and implemented after a threat has been identified. Add to this inherent issue the time it takes for a bureaucrat to understand and measure risk, hire analysts to author a bill and weave it’s perceived benefit into their re-election strategy, we’ve left any potential legislation years behind its need. Compliance is not timely, nor can it be.
- Compliance Mandates are Optional – For compliance requirements to be truly successful, all entities subject to regulations would be complying in some way. Unfortunately this isn’t the case, nor is it realistic. Asking the Government to audit all organizations would require armies of people and even bigger piles of money. Some regulations have introduced self-assessments to ease this burden, which has only led to inconsistency in reporting and implementation. Ever heard of anyone going to jail for HIPAA violations? Compliance is not mandatory, nor can it be.
- Compliance Mandates are Vague – Anyone who has read the HIPAA Administrative Simplification or FFIEC Guidance knows that the Government is good at telling you what to do, but not how. And honestly, they really can’t be. How could such a broad technical standard be developed for so many different organizations? It might feel a little Draconian if the Feds told you exactly what directory services to use for authentication. Add to this challenge differing interpretations, language and changes in technology. Compliance is not prescriptive, nor can it be.
Despite its good intentions, compliance does not bring security. In fact, it may be having the exact opposite effect. In a recent survey, security administrators found themselves spending between 25 and 100 percent of their time on compliance efforts, all while databreaches were increasing at their organizations.
So what’s the answer?
Let’s trade compliance for security. Rather than penalizing those that aren’t in compliance, how about rewarding those that are secure? If we took the billions that the government spends every year on HIPAA, FISMA, SSAE16, FFIEC, SEC, FIPS, DHS, TSA and the thousands of other regulatory bodies, their audits, personnel and other perfunctory functions and instead spent that on real security education for the right people, we’d be far ahead of where we are today.
If they wanted to go the extra mile, Lieberman and Company could help organizations implement metrics to tell how well they were performing against their security programs. If they wanted to get real fancy the Government could subsidize real risk assessments for organizations in “critical infrastructure”. They’d probably still have money left over for tracking terrorist hashtags on social media.
For most of us, compliance is here to stay. The question is – just how far from real security will it diverge?
Just ask TJX, Heartland or Sony.
The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
I’ve always loved haunted hayrides.
I’m not talking about hayrides where you sit freezing your candycorn off listening to some retired third-grade teacher drone on about the history of the early settlers who first farmed that land. I’m talking about the wretched ones, where one moment it’s pitch black and silent, anxiously waiting for the inevitable horror beyond the next graveyard, and the next moment it’s deafening, you’re screaming and choking on chainsaw exhaust, the cold steel of the neutered blade brushing your leg, fake blood spattering hay-strewn victims, only to be whisked away to a heavenly reprieve of cider donuts and hot chocolate.
People love to be scared. Whether it’s witches or zombies, Jason or Michael Myers, everyone loves that super-heightened sense of awareness from feeling like anything could happen.
It’s time we figure out how to bring a little bit of that feeling to our professional and personal lives.
Welcome to October, National CyberSecurity Awareness Month!
For many years now, we’ve known that people have been a major weakness in the cybersecurity chain. Of the significant databreaches that occurred in 2011, over 80% of them started with or incorporated some type of social engineering attack. This means that at some point along the way, people failed.
Interestingly, very few of these cases were situations where people acted in a malicious manner. In fact, nearly all of these cases were situations where there were accidental violations of policy, or where people had good intentions but violated policy to get their jobs done or where people had no idea that they had done anything wrong.
In these cases, the business failed.
Like Michael Myers, Freddie Kruger and other famous movie killers, cybercriminals don’t play by any rule book. They can strike anywhere, at anytime. This fluidity gives them a distinct advantage over the good guys – the bad guys only have to be right one time, the good guys have to be right every time. This imbalance asserts that a heightened sense of awareness is critical if Haddonfield is going to make it through another Halloween.
Luckily, there are a lot more good guys than bad guys, all we have to do is arm them. Jamie Lee Curtis
The beauty of horror movies is, we can turn them off if we want to. Not so for cybercrime. If we’re going to make it through this epic series, we need more good guys armed with sewing needles. We need more good guys with determination.
This October, as you’re shopping for peanut butter cups and Halloween decorations, do your home, business and planet some good and think about the role you play in cybersecurity. This ain’t no movie. The Michael Myers we’re fighting is real. He’s out there and he wants your identity. He wants your bank account.
He’s probably already got your credit card and SSN.
Think about this as your shopping for a costume.
I recommend the Laurie Strode.
“The definition of insanity is doing the same thing over and over and expecting different results.” – Albert Einstein
Is it possible that there are companies that deserve to experience a security incident?
Some may call this unproductive thinking, but it seems that some businesses are exposing themselves to repeat attack due to how incidents are being handled. Here are some examples of recent and common behaviors that are putting businesses at undue risk:
- Victims of cybercrime are not reporting their incidents. This lack of reporting may on the surface appear to protect the victimized organization, but that notion is short-sighted. By keeping the details of the attack and attackers private, we cannot learn from the event. This lack of detailed information about events makes it much harder to prevent, detect and correct them when they occur again. Our inability or unwillingness to share information becomes a critical weakness when fighting cybercrime – this is especially common among small businesses. Knowledge is power.
- Victims of cybercrime are settling out of court. Believing that they’re saving their reputations and wallets, victimized organizations avoid prosecution of attackers or malicious employees. Without prosecution, bad people never become criminals, and they simply move on to their next victim. Background checks against bad people are useless unless they have a criminal record, and criminal records don’t exist without prosecution. The same bad employee could end up working for the victimized company again and again if they were determined and understood how easy identity theft was.
- Victims of cybercrime aren’t collecting or using event evidence to strengthen their security programs. Actionable intelligence is the equivalent of sights on a handgun, without these you’re chances of hitting your target become much, much lower. Security devices – firewalls, intrusion prevention, monitoring, anti-malware – record mountains of activity data during a security incident. Leveraging this information can help ensure that you’re less vulnerable to the same attack again.
As human beings we are programmed for self-preservation, these reflexes have helped us survive for millennia. However, it is these same survival reflexes that cause us to trade long-term pain for short-term gain. It takes considerably more thought and patience to factor the complex network of cause and effect relationships into our security decisions, but the juice can be worth the squeeze.
And as a bonus, Einstein wouldn’t have you committed.
Early Christians were an organized bunch.
While other religions were floundering in banal castings of “good” and “evil”, Catholics were taking things to a whole ‘nother level. Although they didn’t become popular until the early 14th century, the 7 Deadly Sins proved to be a useful tool for theologians of the time. With such a variety of vices from which to choose, clergymen could condemn miscreants for anything from excesses to laziness. Who would have guessed that these same labels would have information security applications thousands of years later?
Now, I feel that I should clarify one point. While I did go to Sunday School as a child, I am not a religious individual. In fact, the last time I stepped foot into a church I was there to admire the architecture. My next visit should be along the lines of a bake sale.
All that being said, I too tend to be an organized person and categorizing things helps reduce the chatter in my mind. I also find that the 7 Deadly Sins have a rightful place in information security, as we find so regularly that businesses, practitioners and risk owners commit these “things that His soul detesteth”.
Without further ado:
- Lust – It continues to be proven time and time again that technology does not solve security challenges, yet there are individuals who find that shiny new piece of technology irresistible. It is the people and processes around your hardware and software that will determine how effective they are, regardless of what miracles they claim. It was not the sandals that allowed Jesus to walk on water.
- Gluttony – Some security practitioners and business owners do get it. In fact they get too much of it, and their employees pay the price. Your security controls should match your risks. And although we appreciate the intent of these enthusiastic individuals, please stop. You’re giving us a bad name. Security can be inconvenient for employees even when it’s done well, when it’s overdone it can be downright painful.
- Greed – Businesses will often claim that they can’t afford to spend money on security services. To this I reference the countless statistics demonstrating breached businesses that were unable to recover. The losses caused by cybercrime are increasing at a staggering rate. If you’ve got confirmation from a reliable source that it’s going to rain for forty days and nights, don’t build your Ark out of straw.
- Sloth – Inaction on the surface of a business may in reality be a symptom of other things, including lack of resources, lack of direction or lack of motivation. A healthy dose of awareness and education is typically needed at these organization, followed closely by good leadership. Executives should be setting the security “tone at the top”, and an effective Risk Management process should be defining security priorities. Information security is like religion, it’s a journey not a destination.
- Wrath – To be honest, I couldn’t come up with a good analogy for this one, but I can get a little feisty when Dunkin’ Donuts is out of hot chocolate. I confess.
- Envy – Information security is no place for blind faith. The business across the street may look like yours, but that doesn’t mean you have the same risks. And it doesn’t mean you should be implementing the same security controls. Understanding your own risks is the only proven method for protecting your business. Amen.
- Pride – “We’re well along with our security program, gentlemen.” “We’re audited all the time and we’re compliant.” “We’ve got that security thing under control.” The words of false prophets, these can be the most devious of all. Not only do these individuals deprive their people and organizations of objective assessment, advice and relief, their messages convey a false sense of security. These are the proverbial wolves in sheep’s clothing.
I was baptised at a relatively early age. Rocking a bowl cut and leisure suit, I even made Communion. And then through a little bit of hard work I learned that some assets are sensitive and need special security controls. It didn’t take an act of God.
If you are a business owner, a CFO or a security practitioner, or just know one of these individuals, I encourage you to re-read this list of mortal sins. If necessary, etch them into a stone tablet and carry them to the top of the nearest mountain.
It may just help you avoid the Apocalypse.