The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.
While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.
- Were we prepared?
- Who did this?
- Why did this happen?
- Could this have been prevented?
Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.
And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.
- Is what we’re doing to protect ourselves really worth it?
At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.
This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.
But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.
So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.
But if we don’t learn from our mistakes it is all for nothing.
Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.
The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.
Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.
Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.
Enter the VIPR Team.
The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.
During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.
Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.
Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.
Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.
If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.
I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.
And this goes for any organization.
How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.
So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.
Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.
Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.
Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.
However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.
Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.
But risk avoidance has come at a high cost.
Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.
And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:
- International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
- Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.
Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.
In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:
- Did these investments address your most critical risks?
- Were these investments worth it?
Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.
You may also want to ask yourself if you’re the shipper, the pirate or both.
Luckily for us, we’re the armed guards.
For most, if not all Americans, today is a special day.
Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.
Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.
And yet, that’s all they are.
In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.
Ask someone if they would rather text while driving or face a terrorist.
Yet texting while driving has killed twice as many people this year than terrorists.
So why aren’t we afraid of texting in a moving car?
The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.
It makes us really bad at judging risk sometimes.
Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.
We didn’t think terrorists would fly planes into buildings.
Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.
Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.
On Friday an Albany police officer shot and killed a 19-year old male when a routine traffic stop turned violent.
The suspect and deceased allegedly reached for the loaded .22 caliber handgun that he was carrying after the SUV he was driving was stopped for a traffic violation. Officers shot and killed the man, claiming self-defense.
A public press hearing was held which quickly became explosive, a chaotic scene high with emotions.
While it is difficult to draw analogies between a shooting and cybercrime, one can draw some parallels between the physical and cyber realms. It is often difficult to know the best course of action in either. And in both cases, there is rarely enough time or information to make good decisions.
There are no absolutes in our business.
One can draw many conclusions about the potential outcomes of not neutralizing an allegedly enraged and armed suspect on the streets of downtown Albany. We can also make some assumptions about the effects of negligent or absent security controls in the workplace. When it comes to making difficult decisions about what to do or not to do and when to do it, things become hazy real fast.
On the street it can get you killed. In the workplace the worst is usually termination of a different sort.
And sometimes it’s hard to know what side you’re on.
Stratfor, Comodo, RSA and HB Gary all make a living securing other organizations, yet became targets themselves over the past year. According to public opinion, each of them became targets because of who they were – yet they became victims because they didn’t practice what they preached.
On top of that, each made bad decisions while under duress, whether it was latent customer communications or weak security remediation.
Friday’s press release in Albany was chaotic for a number of reasons. First, neither side had all of the necessary information and assumptions were made by both sides about what had happened. We saw this happen to RSA and the other victims in the court of public opinion, as well. It’s tough to know who’s to blame.
What we do know is that a young man is dead. And intellectual property worth hundred of millions of dollars was compromised. These are indisputable facts. Despite lengthy investigations, this may be as close as we ever get to the honest truth in either case.
There are no absolutes in our business.
Those committed to providing honest, effective security will work tirelessly to perfect their fundamentals and plan for the unexpected. Like good public defenders, good security providers will posess strong situational awareness, true aim and flawless decision-making ability.
Great security providers will be able to do all of that while taking enemy fire.
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)
- Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
- If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
- Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
- Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
- Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
- Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
- Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
- Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
- Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too much at once and you’ll just end up exhausted and nauseous.
- Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.
It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.
As the owner of an information security firm, I spend a lot of time promoting security awareness and encouraging organizations to adopt an appropriate level of operational security (OPSEC) in their businesses. It has been proven time and again that humans have been and continue to be the greatest weakness in an organization’s security chain, primarily because the humans in question haven’t been given the right tactics, techniques and procedures (TTPs) to defend themselves, nor have they had adequate adjustments in attitude to want to do so. Today’s human firewalls tend to be as flawed as the firewalls plugged into countless datacenters.
I had breakfast this morning with a friend of mine who has been employed in various law enforcement agencies for all of his adult life. A highly certified and accredited individual, my friend (who I shall refer to as Harry) has worked in counter-terrorism, forensics, explosives interdiction, corrections and firearms training, among other things. Harry and I met for breakfast to talk about business, but were inevitably sidetracked by the latest juicy gossip of police raids on terror cells, unpublicized databreaches and gangs using the Internet to auction illegal firearms.
Over a couple of breakfast sandwiches we continued to talk about the problems that citizens and local businesses were having with gangs, drugs and the illegal firearm trade that has become so active in the Capitol Region. I listened as Harry shared story after story of small businesses that were being increasingly terrorized by racist groups, crime and violence. For confidentiality purposes I can’t share specifics, but I can tell you that I was alarmed at the frequency and severity of the crimes that were occurring. As I processed all of this new information it occurred to me that if John Q. Public really knew what was going on in law enforcement, they would never leave their house.
And then it occurred to me – what if the same was true of information security?
I recently read an article that suggested that there should be more databreach notifications, rather than less. The idea behind the article was that with more notifications, we would learn more about current exploits and be better at addressing the threats and vulnerabilities behind them.
But imagine for a moment that the details of every databreach, malware outbreak and security incident were at once made public. One of two things would happen:
- With so much information made suddenly available, there would be no way to process it, and it would be useless. The number of databreaches and security incidents that go unreported is staggering, beyond comprehension in any meaningful way. The sheer volume of data would desensitize all but the most determined practitioner.
- The computing world as we know it would stop. I liken it to a mass, global outbreak of the AIDS virus – there’d be a whole lot less sex going on. Web properties like Amazon, eBay and Facebook would cease to exist, as would their trading partners. Credit cards would disappear. Banks would shutter and dissolve. Security is based on trust – when that trust is shattered, the systems that are built upon an implied system of security cannot survive.
The only way to prevent one of these two outcomes is to increase our awareness while improving our ability to identify and deal with our risks. Our very way of life relies on this.
And while it may seem far-fetched to think of our world recessing to a time before the Internet, before credit lines or before the first financial institutions, remember that there’s an ugly world going on out there. You just don’t know it yet.