Tag Archive | Operational Security

You’re the Next President

Sounds awesome, doesn’t it?

Unfortunately, I’m not talking about getting you elected to the highest, most powerful office in the world.

No, sadly I’m talking about the likelihood that your e-mail will get hacked and pictures of you in the shower will show up on the Interwebz.

Ask yourself when was the last time you sent an e-mail that you didn’t want anyone else to see? It may have been complaints about your boss, or sweet nothings to your girlfriend. It could have been tax or financial information, or perhaps something about a medical issue.Bush

And you probably keep e-mail around forever, right?

I’ve seen people with thousands of e-mails still in their Inbox. They didn’t think to move them to another folder or delete them after they read them.

Receipts from online purchases. New account registrations and password changes. They just sit there like little gold nuggets, waiting for a miner.

The reality is, we all do it. Just like Ashton Kutcher, Sarah Palin and Lindsay Lohan, we normal people use e-mail for just about everything. And few truly think about or understand just how sensitive, or critical e-mail has become.

Until their undergiblets show up in a Google images search.

So take a moment today to manage that risk down a little. If your e-mail is compromised it probably exposes a whole pile of other things.

Make sure you have a good password. If your e-mail service offers multi-factor authentication (SMS, token, etc.), consider it. Delete e-mail that you don’t need anymore. Think about the things that you send through e-mail before you send them – if they ended up in the wrong hands would you be OK with it?

Because it may sound awesome, but you don’t want to be the next President.

Advertisements

Rethinking Security – Part 1

Two weeks ago travelers in the Austin, TX Amtrak station got a big surprise – a squad of anti-terrorism forces armed with assault rifles and specialized inspection equipment. It was just one of hundreds of [probably not so] random appearances being made by the Transportation Security Administration’s (TSA) VIPR Team all across America.

The VIPR (Visible Intermodal Prevention and Response) team is not new, in fact it was launched in 2005 after the train bombings in Madrid. Its tactics, however have been changing over time. Random appearances are part of their “new strategy”.

Since September 11, law enforcement and counter-terrorism agencies have been focusing on the areas that, at the time, appeared to have the greatest exposure. Airlines, densely populated urban areas and critical infrastructure all made the list.

Unfortunately our enemies are smart enough to strike where we our defenses are least fortified.

Enter the VIPR Team.

TSA VIPR Team Inspects Amtrak Station

TSA VIPR Team Inspects Amtrak Station

The bombing in Madrid ushered in a new phase of terrorism, and subsequently a new phase of security. Our enemies began attacking softer targets, becoming more unpredictable. It was the definition of terror. We could take a few lessons from this new thinking.

During a half-day conference in Albany, NY recently we had the opportunity to speak to over one-hundred security professionals about the current state of information security. We discussed current trends, new threats and some recently targeted organizations. When it was over, we passed around a pocketknife and about a hundred audience members joined our wolfpack.

Perhaps most important of all the topics we discussed was the failure of the things we trust most in information security today. Cornerstones like defense in-depth, antivirus and least privilege. They all sound great, but the problem is, they’re not working.

Maybe it’s because we don’t have the resources. Maybe it’s because security still isn’t a priority for many organizations. Maybe it’s because we’re not measuring performance.

Or maybe, just maybe, these things are so predictable that our enemies know exactly how to get around them.

If I were an Internet criminal operating out of unsaid country in Eastern Europe, I would have a pretty good idea of where to start. I’d know which rootkits and payloads I’d need to deliver, and how to get them to their intended targets.

I’d know pretty much what to expect once my backdoor was operational, and I’d have a pretty good idea of how to pivot around my subject’s network. I’d know how to exfiltrate my objective and which tracks to cover.

And this goes for any organization.

How could this be? It’s not because I’m that smart or have intel on every company out there. It’s because most organizations [don’t] defend themselves in the same way.

So here’s an idea; the next time an uninvited intruder shows up on your network, surprise them. Utilize a control in a different way or implement it somewhere it normally isn’t found. Take a look at all of the things you’re doing, turn them 90 degrees, spin them once and give them a kick and see where they land. If they could be effective there in a different way, consider making the change.

Predictability is a vulnerability in itself. The VIPR Team has figured this out and so can we.

Cyber Monday is Dead, Long Live Cyber Monday

Cyber Monday is dead.

At least that’s what NPR would have us believe, along with CNN, USA Today and countless other media outlets.

According to these sources, ubiquitous Internet availability, along with the ability to shop from smartphones and other mobile devices has closed the gap between Cyber Monday and the days on either side of it.

This is compounded by the fact that Black Friday no longer starts on Friday. Yours truly was in line at 6:30 PM Thursday night because Black Friday started at 9 PM on Thursday in my town. This has caused online retailers to follow suit – the online deals are available Thursday, too. Waiting until Monday will only get you disappointment.

The simple fact is, people are doing more shopping on days other than Cyber Monday.

Now this doesn’t mean that Cyber Monday is going away. In fact, sales for Cyber Monday are growing rapidly year over year, and 2012 is expected to trump year’s past by 16.8%.

The opportunities are boundless, for retailers and fraudsters.

But a dead or dying Cyber Monday could have both positive and negative effects for security awareness.

On one hand, a special day tends to generate special behaviors. I might argue that awareness is heightened on Cyber Monday because it has a name, the media promotes it, retailers advertise it, banks warn of it.

When one dies, so does the other.

But the reality it that your payment card information is just as likely to get jacked on Wacky Wednesday or Filthy Friday. Security is a process, not a moment in time.

So in the spirit of Cyber Monday, and all it may come to be, here are our Top Five Tips for safe online shopping:

  1. Only Use Secure Sites – Check for HTTPS, the lock and a valid certificate before you enter any information, and certainly before you check out.
  2. Only Use Reputable Sites – Just because #1 is true doesn’t make it safe, don’t give your money to a stranger just because they handle it properly.
  3. Only Use a Credit Card – Don’t use a debit card, it does not offer the same protections as a credit card, and if the number is stolen it’s one step closer to your bank account.
  4. Check Out as a Guest – Don’t create an account with online retailers unless you have to, this may help you avoid storing your payment card information online.
  5. Check Your Statements – As silly as this sounds, this is one of the easiest ways to tell if you’ve been compromised.

We all shop online. It’s convenient, easy and usually saves you some coin.

And if you’re careful, Cyber Monday doesn’t have to be as black as your Friday.

Bullets, Pirates and Risk Management

Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.

Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.

However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.

Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.

But risk avoidance has come at a high cost.

Many factors have contributed to the decrease in pirate hijackings in 2012. One factor is that shipping companies have begun equipping their ships with countermeasures, namely armed guards.

Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.

And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:

  1. International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
  2. Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.

Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.

In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:

  1. Did these investments address your most critical risks?
  2. Were these investments worth it?

Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.

You may also want to ask yourself if you’re the shipper, the pirate or both.

Luckily for us, we’re the armed guards.

I Was Wrong About Security (Again)

On Friday of last week, a few GreyCastlers spent some time at the range with the FBI Albany Division SWAT team.

We started with the obligatory safety briefing, then talked training and qualifications for a while and then we shot firearms for a few hours.

I love my job.

During the course of the conversation, the SWAT Team Leader discussed the rigor and frequency of the squad’s training program. On average, each operator fires 10,000 rounds each year. Some of these are in basic training drills, where the operator is simply shooting at a target. Some these rounds are in live fire drills, where the operator is timed, under duress and working with a team. And yet another bunch of rounds are fired in what’s called force-on-force. This is where someone is firing back (they’re using non-lethal ammo, of course).

When asked why they spent so much time training, the Team Leader stressed the need for “unconscious competence” in their profession. This is a term that has been coming up more in information security circles, too, particularly regarding operational security.

The SWAT team did a quick demonstration of a dynamic entry before we all geared up and grabbed guns. They deployed a flashbang, kicked a (virtual) door in, dropped a few tangos and rescued the hostage. It was over in under three seconds.

These guys are good. Really good.

What do you expect for individuals who qualify with their weapons four times a month under tight tolerances and grueling conditions?

After the course I started thinking again about how unconscious competence can be achieved in our business. Let’s rewind a bit.

Last week I suggested that people weren’t the biggest problem in information security. I was wrong.

Human beings, despite having an oversized brain and opposing thumbs, are naturally bad at interpreting risk. We are by far, the biggest problem in information security. We are the only reason that training programs are required.

What if employees were required to qualify four times a month like the SWAT team? What if we could get employees to achieve unconscious competence?

Most of the people reading this will already recognize that changing people’s behavior’s requires a bit of psychology. Up until recently we’ve focused on learning sciences as they relate to content and delivery – relevance, engagement, tempo and duration.

But what if we applied a secondary model to this, one that starts out suggesting that people don’t know what they don’t know.

Introducing the “Four Stages of Competence“.

This learning model has been around for some time (I first learned about it in the October/November 2012 issue of Handguns Magazine) and it makes a lot of sense.

We plan to do some research on this and continue to think about how we can integrate this into our awareness and education programs.

If it’s good enough for SWAT it’s good enough for us.

I Was Wrong About Security

Back in the mid-2000s I was managing enterprise security for a medium-sized entity in critical infrastructure.

Along with security I was managing much of the Information Technology team, including the Help Desk. My management style tends to be pretty hands on, and one of the things I liked to do was walk around and survey my minions in the morning.

I would talk to my teams about their problems and headaches, and if I got lucky, what was going well.

One morning I was passing through the Help Desk when I overheard one associate – we’ll call him Fred – working with an end-user on a problem. Fred kept repeating, “yes, go ahead and put your mouse on the OK button and click”. Seemed simple enough.

Well after multiple attempts, Fred decided that it was worth a trip out to see the user. I was intrigued so I tagged along.

I learned an important lesson that day.

When we got to the user’s cubicle, we were met with a sweet older women. She was smiling. Super friendly. Just a warm, inviting person. There was no frustration, no resentment whatsoever that we hadn’t been able to resolve her problem. Fred got right to work.

He repeated his instructions. “Put the mouse on the OK button and click.”

So she did just that.

She picked her mouse up off of the desk and literally placed it on the monitor, right on top of the OK button. And then she clicked. And she was right, it didn’t work.

She did exactly what we told her to do, but not what we wanted her to do.

You can guess the moral to this story.

Fast-forward to today, and most security practitioners (I used to be in this group) will have you believe that people are our biggest risk. They will tell you stories about how people fail during penetration tests, how people don’t “get it” and how statistics show that nearly all security breaches are the result of a human failure.

They will tell you that people are the biggest problem in information security.

They are wrong.

Ask yourself these questions –

  1. Would you attempt to drive across the country without a map?
  2. Would you let someone perform surgery on you if they weren’t a doctor?
  3. Would you deploy a firewall without configuring it?

The answer to all of these is obviously no.

However we regularly – in all industries, in organizations of all shapes and sizes, in every country of the world – expect human beings to behave securely without effective training, education or configuration.

What we haven’t quite figured out in a meaningful way yet is that, people are like firewalls. They need configuring and patching on a regular basis. As soon as you stop patching a firewall, the state of its security begins to decline. The same is true of people.

And yet people are not like firewalls at all. Firewalls don’t have brains. And people aren’t binary.

Yet most organizations continue to utilize training techniques that aren’t designed for human beings. Their training is boring, irrelevant, tedious, unengaging and long. We’ve all been there – forty-five bullet-filled, do-it-yourself PowerPoint slides and a quiz.

This doesn’t bring awareness, it brings tears.

If you want your employees’ security behaviors to be effective, your training needs to be effective. It has to be fun. It has to be relevant to their job. It has to be short enough that it can fit into their day without being too disruptive. It has to be timely. And it has to be continuous.

October is National Cyber Security Awareness Month, a great time to rethink your security awareness and education program.

I was wrong about security, but you don’t have to be.

Your human firewalls – and your business – will thank you.

Security is “No Easy Day”

The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.

In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.

The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.

The Pentagon claims that it contains “sensitive and classified” material. You may argue that the very honor, ethics and cultural values of America’s elite fighting force has also been compromised.

But this debate goes beyond disclosure of classified information, which is a crime.

These types of disclosures have very real parallels in information security, as well.

Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.

The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.

Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?

Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.

Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?

The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.

During times of peace, they are surpassed only by the plans for war.

Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.

And if nothing else, it has brought visibility to the importance of Operational Security.

Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.

Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.

More Tales From the (Unen)Crypt

You just can’t make this stuff up.

Last week I received the following text message from an unknown number: “I received check. Thank you. Alice“.

A quick bit of research revealed that the number came from a woman (OK, I made some assumptions on the “Alice” part) who owns a flower shop in a small town in Florida.

They offer a full line of floral favorites, houseplants and perennials, and they also accept Visa, MasterCard and PayPal. The web site doesn’t say anything about accepting personal checks but apparently they’re cool with that, too.

I sat on the text for over an hour, as various scenarios piled up in my mind. I couldn’t help but wonder how security-conscious Alice was. Now that she had opened the door, I wanted to walk through and see what was on the other side.

My curiosity was piquing. Was Alice from Wonderland, carrying a big, nasty broom, and sweeping out all that would dare trespass on PII? Or was she just another careless merchant exposing helpless customers’ personal data?

I couldn’t help myself.

Hi Alice. I don’t remember which acct I used can you resend the routing and acct number.

We would soon find out.

Like all disasters, you prepare for the worst and hope for the best. We all want to believe in human beings’ natural sense of good, to protect our own and to want the best for others. We are the only species on the planet that has been gifted with morality, a true sense of right and wrong. We are truly blessed.

Over two hours had passed and I felt strong. In a world where security breaches, fraud and cybercrime were the norm, Alice was a beacon of hope. A shining example of what was right in this sordid world where so much has gone wrong. Alice, a frail, aging shopkeeper would show us what fortitude, diligence and a sense of righteousness truly means. If Alice could do it, anyo (bzzzzzt)…

021000322 XXXXXXXXXXXX XXXX

Don’t buy flowers in Florida.

To Train or Not to Train, That is Not the Question

Recently, CSO published an article suggesting that organizations eliminate security awareness training from their security programs. The article has stirred great debate in security circles, including this one.

Citing the  “Carronade” phishing test failure at West Point in 2004, the author went on to claim that any investment in security awareness training “is money wasted”. The overarching theme of the piece suggested that human susceptibility is impossible to eliminate. Because complete (100%) security is impossible to achieve in this area, resources should be dedicated elsewhere.

If this argument were true, there would be no firewalls. No antivirus. No security controls of any kind.

Let me first say that I respect the author for offering a viewpoint counter to that of the masses, and for getting us to think a bit. Let me then say that I believe the author missed the point. It’s not about eliminating training, it’s about eliminating ineffective training.

Anyone who has been protecting things for any length of time knows that trust is hard to come by. And it gets harder every day. Consider this:

  1. Business has become complex, amorphous and dynamic. An increasingly younger workforce cares less about privacy and security. Wireless, social media, virtualization, mobility – all of these have made it harder to protect critical assets.
  2. Attackers are multiplying and motivations are increasing. China just arrested 10,000 online criminals and other individuals suspected of Internet crimes. 10,000. And hacking is still not illegal in most countries.
  3. The tools to steal banking credentials and roll malware can be bought online with incredible ease. They’re inexpensive and come with technical support, just like Microsoft Office. Anyone can get into online crime.

Fighting cybercrime is a $400B industry, and we’re just getting started.

So now ask yourself, what – or better yet who – are you trusting to protect your assets?

I offer this counterpoint to the CSO article; an effective security awareness training is the best, perhaps the only security practice that, done effectively demonstrates dramatic, measurable return in today’s environment.

Your employees are everywhere, and they do everything. They touch every database. Every SSN. Every locked door. Every web application. Every e-mail. Every credit card number. Every line of code. Every turnstile. Every firewall rule.

Get the right message to your employees on a consistent basis and you have solved a significant number of your security challenges, or at least reduced risk in those areas. Change your employees behaviors and you have instantly changed your security profile. There is no other single security control that has that same potential.

Today, you may be trying to save the company time by making training optional for employees. Today, you may be trying to save the company money by having the security guy deliver your training. Today, you may be trying to save the company energy by delivering the same PowerPoint slides to management, IT and staff.

Today, you are wasting your money.

Tomorrow is another day.

Have a Coke and a (Security) Smile

Sometimes, security just sucks.

It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.

When it’s not done well, well…

I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.

Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.

The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.

Getting credit for the hotel stays was another story.

What I thought would be a quick call to the provider, started out bad and turned worse.

“Thank you for calling [hotel provider], can I help you?”

I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.

After several minutes of haggling, I was told that this individual could not post my credits. They would need approval from a supervisor. I was baffled.

I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.

Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.

This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.

Even the Secret Service lets the President kiss a few babies.

I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.

But I might still ask for that Coke recipe.

%d bloggers like this: