The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.
Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.
Imagine what you could get done if you had your own Seal Team 6.
Think it sounds crazy?
On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.
Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.
Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.
And yes, you can have your own.
Here’s what you need:
- Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
- Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
- Train, train, train – Training is the most important of all, and it should incorporate the following:
- The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
- Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
- Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.
Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.
You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.
The Zappos hack this week made national headlines for a number of a reasons.
First, Zappos, a subsidiary of Amazon.com is a major brand recognized as a leading online footwear retailer. You don’t need to be female to know that Zappos sells just about every make and model of sandal, Skecher and pump known to man. And woman. And if you’re a woman there’s at least some chance that Zappos is your browser home page. I’ve seen it happen.
Second, the scale of the breach was massive. E-mail addresses, billing information, names and partial credit card numbers for an estimated 24 million individuals, making it one of the largest databreaches in recent history. The value of this data on the black market, using today’s cybercrime figures is in the tens of millions of dollars.
But in many ways the Zappos databreach isn’t unlike the countless other incidents we’ve witnessed lately. Which makes me wonder if we’re operationalizing information security this year any differently than we did last year. Or the year before that.
Of course history makes a great teacher, and this holds true for security, as well. And while they’re still grinding through the logs and other forensic evidence of this attack, there are some clear lessons to be learned here.
This is what I would do if I were Zappos:
- I would learn to be better at Public Relations – Because they expected a deluge of phone calls related to the hacking, Zappos said that they were temporarily turning off their phones, instead responding to inquiries by e-mail. “If 5% of our customers call, that would be over 1 million phone calls, most of which would not even make it into our phone system in the first place,” the company’s e-mail to employees said. Now I’m no PR expert, but if I just pissed off 24 million of my customers by exposing them to identity theft, disabling their preferred mode of communication might not sound like a bright idea. Perhaps they missed the beating that RSA and Sony took for their PR guffaws.
- I would learn to be better at helping my customers during a crisis – Have you ever tried getting your organization of 150 people to change their password? Exactly. Now multiply that times 160,000. It’s the equivalent of sucking an Olympic size swimming pool through a McDonald’s straw. In this day and age, there should be a way to programmatically reset customer passwords, provide them a means for securely accessing the new password, or simply leaving the account disabled until such time that the customer wants to use the account again. I’m betting that a significant percentage of those 24 million accounts are inactive in the first place.
- I would learn to better protect sensitive information – Zappos was warned daily – possibly more frequently – by The NY Times, The Washington Post, the GreyCastle Security blog and other global media outlets that they were going to be hacked, but they proceeded to store names, billing addresses, e-mail addresses and partial credit card numbers together, in one database, potentially on one server, packaged neatly for the next disgruntled employee, hacker and other miscreant. I’m guessing that Zappos didn’t have the budget, the time or the resources to secure this information appropriately. It wasn’t a priority. Until it was too late.
- I would learn to be a security evangelist – Now that I’ve been owned by hacker(s) unknown, exposed my customers to incalculable risk and started racking up unnecessary Incident Response bills, I would help other companies avoid what just happened to me. “We’ve spent over 12 years building our reputation, brand, and trust with our customers. It’s painful to see us take so many steps back due to a single incident,” the company’s CEO said. The biggest problem in our industry is not a technical one, it’s a psychological one. As long as Company XYZ believes that they have nothing worth protecting, and that this can’t happen to them, we’ll continue to experience these issues.
It’s not fair to single out Zappos. This blog could be written about thousands of other organizations. But so far security hindsight continues to be nearsighted.
Maybe Zappos should start selling eyewear.
Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
This past Saturday I woke up early and suddenly found myself running from bloody, muddy, brain-hungry zombies.
No, the world hadn’t suffered a raging viral infection. And no, I wasn’t a movie extra. It was the first annual Run for Your Lives Zombie 5K race near Baltimore, MD. There were thousands (OK maybe hundreds) of zombies to avoid, a dozen obstacles to overcome and endless fields of mud. There was blood. Whole pools of it. And there were several “teachable moments”.
Now in many ways, I feel like I’m better prepared than the next guy for the impending Zombie Apocalypse – my cardio level is above average, I prefer moving around at night and I love me some good baked beans. I also consider myself a bit of a survivalist, and I keep an ample supply of batteries, bleach and duct tape ready to go for when things get apocalyptic.
All that being said, this weekend’s events reminded me that there’s no way to prepare for everything. Despite the semi-lighthearted nature of the 3.1-mile obstacle course, I found myself surprised – even shocked – on several occasions. Midway through the race I found myself deciding between diving into a muddy lake filled with 55-degree water or being attacked by a crazed horde of killer undead. This particular teachable moment taught me that hypothermia may be for a while, but dead is for ever.
So what does all of this have to do with information security?
Just like the doomsday scenarios that scientists, religious zealots and Al Gore all predict for the human race, there is no way to prepare for everything in information security. In fact, the best preparation may be in preparing to be unprepared.
The harsh reality is, most businesses have already been compromised, whether they know it or not. Yesterday my company met with yet another organization who has been the victim of cybercrime. Not only did this business suffer major losses, but two months later they are still unsure if the money-stealing malware has been eradicated.
Having an Incident Response plan is an important part of running a successful business. Detection of malware and anomalies, containment of incidents and processes for forensics investigations and business resumption should be regular discussions for all management teams. If you haven’t already done so, add a chapter to your plan that accounts for the “unexpected”. Failing to plan is planning to fail.
Hindsight, as they say is 20/20. I’ve already thought of a few things that I’ll do differently to be better prepared for next year’s race. Luckily, it’ll only cost me $57 to learn from my mistakes.
If you’re a business without an Incident Response plan, it may be a little more expensive.
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.
Tuesday, July 5th, 2011 will be remembered by many as a day when the United States Justice system failed.
The Casey Anthony verdict, handed down in front of an estimated audience of 130 million television, radio and web viewers shocked a nation. After 33 days of testimony, 400 pieces of evidence and more than 90 witnesses, the State of Florida could not prove beyond a reasonable doubt that Casey Anthony was indeed the perpetrator in the case. The verdict has hit a nerve with many, frustrated with the notion that someone as “guilty” as Casey Anthony could now walk despite a mountain of circumstantial evidence.
In this great land we call America, we are innocent until proven guilty. Those on the wrong side of the law have learned to abuse this right, twisting it until its original intent is no longer recognizable. Like the highly-publicized Casey Anthony case, claimants from businesses of all types find themselves in court attempting to recover losses from malware attacks, reputation assassination and the $250,000 missing from their bank account. Those that find themselves prosecuting – CEOs of banks and credit unions, general managers of fast food chains, Provost’s of local colleges and other business leaders – beware. If you plan on recovering financial or legal losses from a security breach or incident, the burden of proof is yours.
Information security can be a dirty job. There have been many occasions where I’ve been called in to help new clients respond to and recover from databreaches and security incidents that they weren’t prepared for. As a security professional, these requests elicit a series of pre-programmed responses:
- Is the incident contained?
- What is the extent of the damage?
- Is the attacker or payload still resident?
- What recovery mechanisms are in place and will they work?
- What legal and regulatory reporting is necessary?
Whether you subscribe to NIST, ISO, ITIL or other standards, there are a number of steps to ensure successful incident handling. As was learned in the Casey Anthony case, none is more important than the proper collection and handling of evidence. The following are a number of recommendations that will keep you from making serious errors when performing any type of forensics activities:
- Have a plan – First, assume that you will experience a security incident. It will happen, I promise you that. That being the case, having a plan is the number one thing you can do to help your business respond to one. Identify the types of incidents that are possible, who will lead the response team and the basic steps you will take to recover. The previously named standards are an excellent resource for process frameworks, there’s no need to reinvent the wheel.
- Use certified professionals – Asking your team to completely, accurately and legally respond to a security incident is like asking the Pakistani Army to capture Osama bin Laden. It will be messy and you won’t get the desired outcome. Enlist professionals to assist with forensics, evidence collection, chain of custody and legal advice. The money spent here will be recovered in the court room.
- Minimize change – Until the professionals arrive, minimize change to the affected environment. Leave the PC, server, room, facility or any other asset exactly as it was following the event, if possible. In certain cases, this may not be possible if said assets are incurring further damage. Evidence preservation and incident containment need to balance.
- Minimized contact – If possible, minimize or eliminate human contact with the environment.
- Document everything – Keep a log of everything that occurs, beginning with the instantiation of the event. Take pictures, write logs, do whatever it takes to capture everything.
There are some in the security industry that will tell you that there’s little we can do to avoid being a victim of a security incident. While I believe that there are reasonable mechanisms for protecting your business, realistically speaking most of us will become a statistic. Those that are prepared will respond, recover and go on with business. Those that are not, will not.
By learning a few basic maneuvers, we can avoid becoming the next State of Florida. After all, there’s a difference between “Not Guilty” and “Innocent”.