Another day, another breach.
We haven’t received details yet, but we’re sure to hear that poor passwords were at least partly to blame in this week’s massive Evernote breach. And Bank of America’s. And [insert company name here]’s.
It seems that we may never get passwords right.
There are many reasons for this.
First, passwords may be the most targeted of all security controls. They are, after all the keys to the kingdom. If you hit something hard enough, long enough, it’s going to break. Even the toughest passwords can be cracked.
Second, passwords may be the most numerous of all security controls. I have 200 times as many passwords as I do firewalls, access control procedures or data classification policies. A typical organization may have 10,000 passwords for every other security control they possess.
Third, passwords may be one of, if not the most dynamic of security controls. Think about how often you create new passwords or change existing passwords. You don’t see this level of volatility in other areas of security.
Last, passwords are often designed, implemented and administered by the unwashed masses. Unlike other controls, they may not be reviewed by a committee, subject to monitoring or in the worst case – even required.
So what’s the secret to solving this problem?
Lowering our expectations.
Lowering our expectations? That’s the secret? Yes, don’t be alarmed. Because as sad is that sounds, expecting less of passwords (and the people who create and enforce them) should give us pause about the controls that compensate for these historically weak protections.
Remember that the goal of your security program is not to create one impenetrable wall, but rather to create a system of defenses that together are strong enough to withstand the threats that you are likely to encounter. Your passwords are just one piece of the puzzle.
Spending too much time on developing the ultimate password scheme, training your workforce on developing perfect passwords and monitoring for 100% password compliance may potentially distract you from the job at hand – protecting the crown jewels.
Good generals know it’s not about winning every battle, but winning the war.
Many organizations recognize this and are moving towards requiring or recommending multi-factor or other out-of-band authentication mechanisms to support passwords. Certificates, biometrics and other controls are becoming more popular for this reason, as well.
Take a look at what you’re doing with passwords and decide how practical and effective your efforts are. Don’t make excuses – you can’t lower your expectations so far that passwords offer no protection.
But lowering your expectations may just increase your defenses.
Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.
The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.
Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.
Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.
Enter the VIPR Team.
The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.
During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.
Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.
Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.
Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.
If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.
I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.
And this goes for any organization.
How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.
So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.
Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.
Cyber Monday is dead.
At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.
According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.
This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.
Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.
The opportunities are boundless, for retailers and fraudsters.
But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.
On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.
When one dies, so does the other.
But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.
So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:
- Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
- Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
- Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
- Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
- Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.
We all shop online. It’s convenient, easy and usually saves you some coin.
And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.
Hurricane Sandy, appropriately named after a slow-moving but powerful family member of yours truly, spent the last few days wreaking havoc on the East Coast.
And while some of us made it through with just a bit of sideways rain, I’m sure there are more than a few business out there putting a Business Continuity Plan on their “To Do” list this morning.
Better late than never, they say.
Or is it? After all, Upstate New York has experienced an earthquake, a tornado, epic flooding and two hurricanes in the past fifteen months. This in an area that is considered relatively protected from Mother Nature.
Tonight, on All Hallows’ Eve, most of us will engage in some sort of ghoulish tradition, whether carving a pumpkin for the front stoop or trick-or-treating with the kiddies. And yet we know that most, if not all of these activities can end in some kind of trouble.
Chances are good that the creepy teenager down the block with the acne and the freakishly thick eyebrows is going to smash your pumpkin. Someone’s car is going to get a clean shave. And Mrs. McGillicutty’s willow tree is probably getting TPd.
But despite all of this, we trust our kids and neighbors to make it through the night without serious damage. We trust that things won’t get out of hand. Without trust that people won’t kill each other over a bag of treats.
And in that apparent weakness lies one of our greatest strengths. In trust we gain the ability to go about our lives. To interact with others. To exist.
Without trust, we could not walk down the street at night without checking every dark corner. We couldn’t approach a stranger’s door without a background check. We couldn’t eat candy without inspecting every chocolatey bite.
Without trust, we could simply not function.
Trust is at the heart of every security model on planet Earth. Despite popular wisdom, the security controls that we put in place to protect our information, people and other assets imply some measure of trust in their relationships.
We trust that a firewall will disallow specific protocols on specific ports. If we didn’t we wouldn’t buy them. But like the creepy kid down the street, trust only goes so far.
At some point, you need to verify.
And what better time than Halloween for a lesson in verification? Whether it’s the batteries in your flashlight, the traffic crossing in front of your little Spiderman or the brastrap on your girlfriend’s Lady Gaga BaconSuit costume, some times you just need to verify.
Halloween is no time for a wardrobe malfunction.
The American Presidency is designed to disappoint.
After watching much of the Republican National Convention (mostly online, God bless the Interwebz), I am truly prepared for an underwhelming four years.
This is in small part due to the fact that my candidate is behind in the polls and unlikely to win the election. But also consider this;
For the past year we’ve been inundated by candidates from all parties with promises of change and other transformative programs that will take America in the direction necessary for prosperity, safety, international diplomacy and the future development of our nation.
Each candidate has made promises to improve the economy, education, healthcare and human welfare, our international citizenship, critical infrastructure and more.
Candidates have regaled their programs’ unique features, and proclaimed how they are exclusively qualified to carry out these duties.
And irrespective of which box you check on your Voter Registration Card, you’ve invariably heard about how one political party is superior to the other.
But the truth is, no matter who makes it into the White House – Obama or Romney, Democrat or Republican – they will fail to deliver on their promises.
And this is as it should be.
You see the Founding Fathers were pretty smart dudes, and they knew a little something about security. They could see Obama and Romney coming a mile away, and they knew that the rhetoric of change was just that.
So they instituted a system of checks and balances. They created institutions that limited the President’s power to specific charges and duties.
They built a system of trust that ensured the President’s ability to control was dependent upon what Congress, the Supreme Court, the Federal Reserve Board, other nations and reality will allow him.
In fact, one of the most important security controls we use today – segregation of duties – is built into the Constitution and nearly every other important document that this country was founded on.
So on election day, let’s all take a deep, collective breath.
You may take the Presidency seriously, but rest assured that regardless of who wins, our forefathers were smart enough to neuter the CEO of America.
If you’re like many people, you’ve either been in Vegas this week, or you’ve been getting a few extra newsletters describing the heavily publicized antics that went on at this year’s Black Hat conference.
Unfortunately, I fell into the latter category.
Like years past, Black Hat delivered as advertised. Although the Secret Service didn’t halt any sessions for purposes of national security, there were some great pieces.
Black Hat (and DEF CON) always provide security professionals with plenty of new things to think about. I suppose that’s why they’ve become the most popular security conferences in the world.
But let’s be honest, they’re a lot like fashion shows.
I find fashion shows hilarious. A bunch of high-brow, Paris-types, with more time than other things convene and parade utterly garish clothing that’s entertaining and thought-provoking, but not in the least bit wearable. The ornaments, trappings and meatpuppets draped over wafer-thin models will never see a department store rack, let alone the closet in your home.
Kinda like Black Hat.
Please don’t take this the wrong way – I love Black Hat, DEF CON and the spirit behind these events. It’s just that they tend to be a distraction from what’s going on in the real world.
For example, one presentation suggested that businesses add offensive tactics to their arsenals. The presentation went on to purport that attacking, or “bringing pain to” your attackers has simply become necessary and other security tactics have become obsolete.
Another presentation, titled “Catching Insider Data Theft with Stochastic Forensics” gave attendees a look at how to predict unpredictable things in a precise way.
Yet other research focused on compromising iris recognition systems.
I feel like I need to repeat that these researchers are doing a great service, and their findings are truly revered.
However, most businesses can’t even manage to use decent passwords. They don’t patch. They don’t train their employees. Forget about introducing stochastic forensic analysis, most companies don’t have a shredder.
There was some really great research presented this year on circumventing web application firewalls, trust models and the latest findings on malware in the wild. You could say that some of these fit like an old pair of jeans.
The rest will probably stay in the closet until next year.
Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.
Citing the “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.
If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.
Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.
Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:
- Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
- Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
- The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.
Fighting cybercrime is a $400B industry, and we’re just getting started.
So now ask yourself, what – or better yet who – are you trusting to protect your assets?
I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.
Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.
Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.
Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.
Today, you are wasting your money.
Tomorrow is another day.
Sometimes, security just sucks.
It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.
When it’s not done well, well…
I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.
Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.
The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.
Getting credit for the hotel stays was another story.
What I thought would be a quick call to the provider, started out bad and turned worse.
“Thank you for calling [hotel provider], can I help you?”
I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.
I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.
Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.
This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.
Even the Secret Service lets the President kiss a few babies.
I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.
But I might still ask for that Coke recipe.
The United States Military has spent a lot of time and money developing its Special Operations forces. These elite teams of security operatives are highly trained to shoot, move and communicate under duress, with little or no advance notice of their impending scenario. Most missions involve dynamic entry, assessment and neutralization of threats, all while achieving a primary objective.
Seal Team 6 is the most famous of all the Special Operations teams. These are the operatives that led the capture and termination of Osama bin Laden, the maritime rescue of American sailors on the Maersk and the recent recovery of foreign journalists held hostage by Al-Shabaab terrorists. The best of the best has handled the worst of the worst.
Imagine what you could get done if you had your own Seal Team 6.
Think it sounds crazy?
On the surface, this legendary team appears to have accomplished near-mythical tasks. Once you start to break their missions and objectives down into their most basic milestones, actions and counteractions, however, their methods become much simpler.
Like Seal Team 6, cybersecurity has become a household word and responding to security incidents has become a common occurrence. Intellectual property, sensitive data and bank accounts have never been more at risk, and detecting, containing and correcting security incidents requires planning, practice and grace under pressure. Once developed, your Computer Incident Response Team (CIRT), Special Operations Team (SOT) or whatever you call it (just don’t call it Seal Team 7, that’s taken) will give your organization a “force multiplier”.
Force multipliers are assets that give your organization a strategic advantage and increase the effectiveness and efficiency of overall operations. These assets, or teams multiply the force of your organization because they carry out tasks that would normally require much greater resources to accomplish. This is possible due to the highly trained and focused nature of the team.
And yes, you can have your own.
Here’s what you need:
- Find the right operatives – Incident responders are born, not made. This isn’t completely true, but it takes a certain mindset and attitude to gain situational awareness, remain calm and lead when an organization is under attack. These skills are tough to teach. You probably already know who your operatives are. If you don’t, stop here and look for a qualified security provider that already delivers Incident Response services.
- Select the right weapons – A good shooter can make a bad gun shoot well. You don’t need the most expensive security tools, but you do need to make what you’ve got work effectively. If you’re about to embark on a digital forensics mission, you better have the right tool in your bag. And carry a backup. Your tools should meet their requirements and work consistently.
- Train, train, train – Training is the most important of all, and it should incorporate the following:
- The basics – Every Navy Seal is required to qualify with a rifle every year, regardless of his or her rank. It’s part of being a Seal. The ability to shoot, move and communicate makes our Military the greatest on Earth. Your CIRT resources should understand the basics of threat modeling, analysis, communication and tool manipulation. No exceptions.
- Scenario drills – Your training should incorporate regular attack and counterattack simulations – these should be as real as possible. Good penetration testing is critical, but tabletop exercises and other drills are important parts of the program. Training should incorporate “unplanned” scenarios, performance assessments and any analysis that will help the team perform during a real situation.
- Bugout – Training should include handling worst-case scenarios, or what the Military calls SHTF. When things really get sideways, you need to know what to do, when to do it and who’s going to do it. Crisis Management should integrate with your Incident Response Plan.
Regardless of what industry you’re in or what size your company is, at some point you will become a statistic (if you haven’t already). A Special Operations team specifically trained and ready to handle incidents could mean the difference between an achieved objective and a botched mission.
You may not be hunting terrorists or saving foreign diplomats, but your CEO might just give you a Medal of Honor.
It has become a common occurrence to hear about companies, governments and individuals being compromised by hackers.
Thanks to Anonymous, “the Chinese” and a bunch of kids from a country no one can pronounce, security has become a household word.
Seemingly overnight, information security has moved from a cottage industry to one that finds its sordid tales on the cover of every major periodical and leading every major newscast. It’s no secret that this condition exists because our adversaries have been and continue to be successful, to the tune of billions of dollars in intellectual property, bank accounts and defaced reputations.
Things have gotten sideways.
Many continue to ask why this situation persists, or from some perspectives, worsens. The answer is simply Newtonian – An object that is in motion will not change its velocity unless an unbalanced force acts upon it.
It’s time for an unbalanced force.
The US Military has developed tactics for when things get really sideways. For those life-or-death situations when you’re injured, surrounded by enemies and cut off from your support network. These tactics are called Escape and Evasion, and their applications aren’t limited to military survival.
As you read this, your critical assets sit unprotected. Not because you haven’t deployed firewalls, access controls and network segmentation, but because when those security controls are compromised (and they will be) those critical assets will be unable to protect themselves. They are inherently vulnerable, which is why they need compensating controls.
Enter Cyber Escape and Evasion.
For decades security professionals have been hardening perimeters, blacklisting bad actors and “locking things down”. These practices emerged when cyberwarfare was symmetric, when adversaries were [better] known and when cyberassets were few[er]. Sadly, these practices remain the foundation for many organizations, despite dramatic changes in attacks and attackers.
There are, however, some new concepts emerging regarding the protection of critical assets.
Imagine that your confidential data was camouflaged such that an unauthorized intruder couldn’t tell the data from the container. Imagine that your sensitive information assets were stored so randomly that hackers couldn’t make sense of them, even if they were discovered. Imagine that you deployed information decoys in such a way that it was difficult or massively time-consuming to tell which was the real source. Imagine that your sensitive data, once removed from its authorized container, could poison itself, much like the ink canister that is thrown into a bag of stolen cash.
What if the next time you were attacked, you could flood your attacker with false-positives and false-negatives, effectively disabling their ability penetrate your network?
These are just a few of the security tactics that are starting to get real attention. Each of these concepts moves security controls closer to the asset and emphasizes intelligence over building walls.
If you trust statistics, an intruder has already compromised the networks of 1 out of every 10 people reading this blog post. 6 more of those 10 will be hit sometime later this year. A recent study showed that most security professionals expected their security program to fail when it was truly tested.
I’ll save you the angst of asking the same question.
If there was ever time to inventory your assets, pack a “go” bag and assess your capabilities, it’s now. Things have gotten sideways and your firewall can’t save you. Your critical assets are either going to keep calm, signal the rescue chopper and be exfiltrated by their Security Officer, or their going to apply a tourniquet and die quietly as they’re dragged off to a POW camp.
What are your orders, sir?