The bombs that killed three people and wounded nearly 200 yesterday are a stark reminder that the odds are stacked against us when it comes to fighting crime.
While it appears that the response of the FBI, DHS, Boston Police Department, EMS and others was reasonably coordinated and effective, these situations inevitably raise recurring questions.
- Were we prepared?
- Who did this?
- Why did this happen?
- Could this have been prevented?
Governments, embassies, corporations and other entities have spent much time, money and energy in the hours since the Boston bombings reviewing (maybe panicking) and fortifying their protections.
And while this latest horror has caused all of us to ask these questions of ourselves, there is truly only one question that matters.
- Is what we’re doing to protect ourselves really worth it?
At a time like this, when lives have been lost, Presidents are holding press conferences and emotions are high, this question seems callous.
This is not to suggest that we shouldn’t be putting protections in place – far from it. In fact, I’d argue that all too often we as human beings would rather “take our chances” than protect ourselves proactively. It’s exactly why we see businesses getting owned by hackers every day.
But oftentimes we see the knee-jerk reactions caused by these events distracting us from the real objective. If we had just stayed the course and done a decent job of understanding our risks all along we may not have been so vulnerable in the first place.
So we mourn our losses. These tragedies seem unavoidable, and perhaps they are.
But if we don’t learn from our mistakes it is all for nothing.
Doomsday Preppers, National Geographic Channel’s new hit series – is awesome.
The show follows various survivalists through their daily lives as they prepare for the end of civilization as we know it, whether it be from massive economic collapse, nuclear war, the melting of the polar ice caps or the failure of the power grid.
Each prepper, and sometimes their families, friends and neighbors has undertaken serious precautions, from stockpiling months of non-perishable food and water, to training in self-defense to building bunkers in the desert. All based on their belief that at some point – in their lifetime – they will need it.
They are then scored by survival experts in five categories of survival; water, food, shelter, security and an x-factor.
Some score quite well. Others? No.
Most people find it entertaining due to the uniquely odd and dysfunctional nature of the preppers themselves.
I recall one episode specifically where one prepper had stockpiled nearly 50,000 rounds of ammunition, built a sniper nest in a tower, and then proceeded to have his ear blown off because his companion was had no experience with firearms and because he wasn’t wearing appropriate ear protection.
Sometimes it’s the little things.
But I find it entertaining for different reasons.
First, if you ask the experts that are closest to these scenarios – financial collapse, cyberterrorism, chemical and nuclear weapons – they’ll tell you that the likelihood of them making a significant impact on our lives is higher than most think.
The joke’s on us.
Second, human beings aren’t very good at identifying the real threats in any situation.
In the event that water, food and shelter become scarce due to some epic disaster, the threat isn’t going to be the flood waters, chemical agents or viruses. The real threat will be your neighbor.
People are always the biggest threat.
Hurricane Sandy was a massive storm, but one could argue that the worst damage was fairly localized. If you lived on the Jersey coast, lower Manhattan or Long Island, things were very bad, but outside of those areas you may have only gotten a little rain.
Yet inside of two weeks people were pulling guns and knives on each other, just to get in line for gas. What would it have been like if the damage was more widespread and the shortage sustained?
We saw the same behavior during Katrina. People were killed for food and guns. Society started breaking down. Quickly.
By nature we are all survivalists. It’s why we have a massive brain and opposing thumbs. The human race has endured for thousands of years because this is how we’re programmed. In many ways, we’re all Doomsday Preppers.
What’s your score?
Piracy off the coast of Somalia has dropped off dramatically in 2012. Successful hijackings of American and other ships has decreased from 31 in 2011 (and 49 in 2010) to only four so far in 2012.
Unsuccessful attacks have also decreased, falling from 199 reported attacks in the first nine months of 2011 to 70 attacks over the same span in 2012 — a 65 percent drop.
However, diminished activity has not resulted in a decrease in the cost of sailing around the Horn of Africa.
Pressure continues to mount on International trade partners to increase the security of their vessels passing through these once heavily pirated trade routes. The risks of shipping goods through these waters increased to a point where excessive defensive means were necessary, both politically and militarily.
But risk avoidance has come at a high cost.
Anyone in the defense contracting business knows that these services are expensive. Water cannons may be cheaper, but they just don’t have the same effect.
And so we see several examples of Risk Management at work here, on both sides of the proverbial coin:
- International shippers made the decision to spend X on armed guards, along with their required equipment, firearms and ammunition. In addition, the countries involved have begun increasing their naval presence, coordination and response plans to counter these activities, all at increased costs. This all to protect a bounty worth Y. We expect that if and when X exceeds Y that these practices will be suspended, and the shippers will go back to taking their chances.
- Somali (and other) pirates on the other hand, could at one time hijack a ship with four men, a couple of Kalashnikovs and a ladder, at a cost of X. To be successful today, they require far greater coordination, communications, firepower and manpower. Their costs have increased dramatically, while the bounty remains at Y. Factor in the recent increase in likelihood of death by armed paramilitary, and the decision becomes even clearer. The costs have outweighed the benefit.
Any organization today can apply the same methodology to make decisions about the procurement and implementation of security controls, even though they may not be shipping food, fuel and jewelry through International waters.
In a recent conversation with a prospect we discovered that a number of edge security devices were upgraded, to the tune of $80K. The obvious questions were launched:
- Did these investments address your most critical risks?
- Were these investments worth it?
Like any good cliffhanger, I’ll leave the responses to another post. Let me instead redirect and suggest that you ask yourself the same questions of your own investments.
You may also want to ask yourself if you’re the shipper, the pirate or both.
Luckily for us, we’re the armed guards.
Hurricane Sandy, appropriately named after a slow-moving but powerful family member of yours truly, spent the last few days wreaking havoc on the East Coast.
And while some of us made it through with just a bit of sideways rain, I’m sure there are more than a few business out there putting a Business Continuity Plan on their “To Do” list this morning.
Better late than never, they say.
Or is it? After all, Upstate New York has experienced an earthquake, a tornado, epic flooding and two hurricanes in the past fifteen months. This in an area that is considered relatively protected from Mother Nature.
Tonight, on All Hallows’ Eve, most of us will engage in some sort of ghoulish tradition, whether carving a pumpkin for the front stoop or trick-or-treating with the kiddies. And yet we know that most, if not all of these activities can end in some kind of trouble.
Chances are good that the creepy teenager down the block with the acne and the freakishly thick eyebrows is going to smash your pumpkin. Someone’s car is going to get a clean shave. And Mrs. McGillicutty’s willow tree is probably getting TPd.
But despite all of this, we trust our kids and neighbors to make it through the night without serious damage. We trust that things won’t get out of hand. Without trust that people won’t kill each other over a bag of treats.
And in that apparent weakness lies one of our greatest strengths. In trust we gain the ability to go about our lives. To interact with others. To exist.
Without trust, we could not walk down the street at night without checking every dark corner. We couldn’t approach a stranger’s door without a background check. We couldn’t eat candy without inspecting every chocolatey bite.
Without trust, we could simply not function.
Trust is at the heart of every security model on planet Earth. Despite popular wisdom, the security controls that we put in place to protect our information, people and other assets imply some measure of trust in their relationships.
We trust that a firewall will disallow specific protocols on specific ports. If we didn’t we wouldn’t buy them. But like the creepy kid down the street, trust only goes so far.
At some point, you need to verify.
And what better time than Halloween for a lesson in verification? Whether it’s the batteries in your flashlight, the traffic crossing in front of your little Spiderman or the brastrap on your girlfriend’s Lady Gaga BaconSuit costume, some times you just need to verify.
Halloween is no time for a wardrobe malfunction.
It seems that everybody loves a good zombie apocalypse.
The Walking Dead has become the highest rated cable series ever. And for good reason. The thought of free gas, unlimited travel and zombie target shooting is appealing to many.
And regardless of how you feel about Rick and company’s impending doom, there is one thing that is pretty clear – they weren’t exactly prepared.
That being said, they haven’t exactly screwed everything up, either.
- Leadership – Although at times challenged by Shane, Merle, his wife, zombies and the occasional deer, Rick quickly established himself as the Incident Response Lead, and a reasonably effective one. Nevermind that he had to kill his best friend to get there.
- Escape and Evasion – You can’t argue with success. Even the elderly, ladies and children have made it through hordes of feasting undead. And zombie meatsuits? Brilliant.
- Conservation – I’ve never seen a group of newbies shoot with such deadly accuracy. Ammo may be free in the post-zombie-apocalyptic world, but why take two shots if you can get the job done in one? High ratings here.
- Tactics – How many times is Rick going to wander off by himself in the middle of the night in a heavily zombie-occupied zone searching for someone who likely died two episodes ago? Isn’t this guy a trained Sheriff?
- Communication – Seriously, Rick, next time you’re in town grab a walkie-talkie or something. Or a flare. Anything. Must you all wander about wondering what everyone else is up to?
- Planning – Oh and while you’re at, grab a pencil. And WRITE SOMETHING DOWN. Like where the exit is. Or where you found the beans last time. Or maybe come up with a plan. Like what you’re going to do for the next 40 years.
I have to admit I’m a huge fan of the show, and I have been since it debuted in 2010. I’d be lying if I wasn’t a little jealous – living out a zombie-apocalypse is sort of a fantasy of mine. I often wonder how I would fare. Baked beans and all.
The real lesson here is that we can’t exactly plan for everything. Preparation is important, but adaptation is critical. The ability to survive – in business or otherwise – depends on our ability to recognize our threats, weaknesses and the most effective ways to counteract them.
Bullets and beans don’t equal survival. You need people who know how to use them. And a plan.
One way or another, we’re all going to end up a Rick or a zombie.
The choice is yours.
Sometimes, security just sucks.
It was never meant to be that way. In fact, done properly security should support a business goal or a higher-level strategy. When it’s done well, security is not painful and it serves a purpose. It protects things worth protecting. It saves our @sses.
When it’s not done well, well…
I went out-of-town for a few days last week for the holiday. It was a last-minute decision, but a good one. The trip was short and sweet, and local. I used a hugely popular travel web site to make hotel reservations. To protect the not-so-innocent, the travel provider will remain nameless. But let’s just say that it wasn’t Expedia or Orbitz and it starts with a “hotels.com”.
Lately we’ve been using this service for business travel, as you can rack up free hotel stays quickly as long as you make reservations through their web site. Of course, you need to log in to your account before making your reservations – this I would learn the hard way.
The trip was wonderful – we did some biking, ate some great food and got to sleep in. Things all vacations should be made of.
Getting credit for the hotel stays was another story.
What I thought would be a quick call to the provider, started out bad and turned worse.
“Thank you for calling [hotel provider], can I help you?”
I explained that I needed to add credits to my account for stays that I had just completed. The customer service representative immediately requested my name, account number, DNA chains and a bunch of information that made me queasy. I asked politely why they needed this information for this activity, and why they would have had this information anyway. I certainly hadn’t provided it prior. These are hotel reservations after all, not the codes to The Football.
I then asked her if she could get me the secret recipe for Coke, while she was at it. Either she didn’t get it or she didn’t think I was funny.
Making a long story short, I will be calling my hotel provider back on Monday, as this situation still isn’t resolved.
This is why people shudder when IT or their company’s Information Security team start talking about reinforcing security controls or “locking things down”. Forget matching your organization’s culture and personality with your controls (which we almost never experience), but let’s remember that your security implementation should match your risk.
Even the Secret Service lets the President kiss a few babies.
I will be calling back on Monday and immediately asking for a supervisor. When I get him or her on the phone, I will do my best to refrain from security advice.
But I might still ask for that Coke recipe.
Any organization that is developing or managing an information security program will inevitably face the question – how much is enough?
Regardless of the size, industry or complexity of an organization, knowing how much of an investment to make in security can be a challenge. There is no shortage of headlines, hacks, vendor recommendations and budgetary constraints, but none of these will answer the following common questions:
- How secure am I?
- Am I more secure than I was last year?
- How much should I be spending on security?
Now some of you are probably already thinking, shouldn’t an effective Risk Management program give me these answers? The answer is yes and no.
Risk Management is critical to the maturation of any security program, and is an effective tool for determining the deficiencies – and thus priorities – of the organization. It can even provide, relatively speaking, a measure of each weakness as a function of the organization’s risk tolerance. It provides clear direction and prioritization for security efforts based on a deterministic system of measuring threats, vulnerabilities and controls. What it doesn’t provide is a tactical view of performance against those risks.
Enter security metrics.
Where Risk Management is the car, security metrics are the car’s navigation system. Risk Management provides a steering wheel for setting direction, and gas for setting urgency. The navigation system will tell you how long it’s taking you to get where you’re going, and compare that to how long it should have taken you. These metrics are important in answering the questions above, but are also helpful in measuring overall security performance.
Determining an appropriate set of security metrics isn’t as easy as it sounds. Charting out the number of blocked port scans at your edge is pretty much worthless these days, as is the percentage of spam e-mail. Unfortunately these are the numbers that are readily available.
To develop a measurement system that will be useful, you need to build metrics to address two audiences; 1. You. 2. Your CEO.
The first set is important because as they say, you can’t manage what you can’t measure. Having a set of metrics that makes your life easier will save you time and provide the evidence you need to support your critical initiatives. It will also help with daily operations, like forensics, tuning and monitoring.
The second set is important because at some point, your CEO is going to ask you the aforementioned questions. The better you can answer them, the more likely your budget will be approved.
Here are some metrics to consider:
- Risk Assessment Coverage – How many of my assets (people, documents, facilities, applications, networks, etc.) have been evaluated by Risk Management within the past 6 months? Past 12 months?
- Percent of Changes with Security Review – How many of the configuration changes in my environment have been reviewed by Information Security personnel? Of those changes that weren’t reviewed, how many resulted in downstream rework or were the root cause of security violations?
- Mean-Time to Incident Discovery (or Recovery) – Of the organizational incidents classified as security incidents, how many did we discover (versus our customers, partners or other third-parties) and how long did it take? Secondly, how long did it take to recover from critical incidents?
- Patch Policy Compliance – How often are we violating our patch policy for critical security patches?
- Percentage of Trained Employees – How many of our employees have received effective Security Awareness Training? Of the personnel that have not received training, what is the percentage that have been involved in avoidable security incidents?
The above metrics go far beyond a typical firewall report, which does more to describe active threats than actual performance. Once you start trending these over time, you start to get a much deeper sense of true security maturity, rather than just raw data. You’ll also get a sense of progress, one way or the other.
(For some other ideas, check out the CIS Consensus Information Security Metrics)
Someone once said that if you don’t know where you’re going, you can’t get lost. That strategy is perfectly fine for the retired, vacationers and Jamaicans, but if you’ve got somewhere to be you need a plan.
Get your metrics right and the next time your CEO asks “how secure am I” you can say.. “No worries mon.”
Last week’s SC Congress in New York City was short and sweet. The one-day security conference focused on emerging threats and case studies, including Barnes and Noble, Tyco and HSBC. There were several hundred in attendance. The multi-grain tunafish box lunch was delightful.
Among my favorite presenters was Mark Clancey, the CISO for the Depository Trust and Clearing Corporation (DTCC). You’ve never heard of this organization, but you use them every day. In fact, we all do. DTCC provides clearing and settlement for equities, bonds and securities for the US and 121 other countries. In 2009, DTCC settled more than $1.48 quadrillion in securities transactions. Yes folks, that was not a misprint. The number is so big that they had to make up a name for it.
In his talk he described the information security challenges they face, which are understandably different from most. Asked what he considered to be his greatest security hurdle, he responded “information sharing”. He went on to describe DTCC’s relationship with the FBI, the FS-ISAC and other information sharing organizations, and the difficulties they face. We’ve seen this problem cited countless times before, including its roots in 9-11. He closed by saying that “hackers communicate better than we do”.
But is this why we’re losing the war on cybercrime? As I wandered off, deep in thought it occurred to me that there may be other areas where hackers are outperforming us. Perhaps it wasn’t their cunning, but rather their ability to understand business, strategy and process that was their advantage? Sitting and waiting for the coffee break I came up with the following possibilities:
- Hackers don’t burden themselves with compliance – It may sound silly, but there are entire industries causing victimized organizations to become distracted from the real goal. Compliance regulations have good intentions, but applied in the wrong context or culture they can be counter-productive. Hackers get the job done in the most efficient and cost-effective way, without cycles spent on annual reporting or scans.
- Hackers don’t rely on technology – The tools in use by today’s hackers are simple and effective and are geared towards ROI. While no doubt a successful attack my require a reliable rootkit, if the one they’re currently using doesn’t work, they’re not afraid to move to an alternative. Technology is a means to an end, not a religion. And it’s generally inexpensive to make and support.
- Hackers know their risks – Whether you’re a hacker, hacktivist or corporate spy, the priority is not getting caught and they put lots of wood behind this arrowhead. The numbers speak for themselves; today there are roughly three million people incarcerated in the US (it typically runs at 1% of the population). In 2011, the FBI caught (not convicted) but 17 US citizens for computer-related crimes (the total is a measly 35 globally). The value of banks being robbed by gun is dwarfed by the value of banks being robbed by computer. You do the math.
- Hackers don’t use default passwords – While I remember only bits and pieces of this story, the morale still rings true. The FBI, along with their foreign counterparts in Estonia were working to extradite an alleged cybercriminal, his laptops and other computer equipment. The suspect, after being worked over for weeks by the Federali, finally handed his laptop encryption password over – it was a passphrase nearly 300 characters long.
- Hackers don’t have sensitive data – Sure it’s true that they have an asset that they’re generally trying to protect, but if they lose it or it’s stolen they know where to get more. Besides, is it really sensitive if it’s not even theirs? In addition, there are no HR databases. No credit card transactions (not on their own cards, at least). Hackers could teach us CISSPs a thing or two about reducing our attack surface.
- Hackers don’t trust – Aliases. Onion routing. Offline couriers. Money mules. There is no trust in hacking. This is essential to their survival.
Now this list shouldn’t imply that there aren’t idiot hackers out there throwing up pictures of their new Porsche (complete with Russian license plates and geotags) on torrents once in a while, but we don’t hear about those incidents all that often. The reality is, when it comes to Operational Security (OPSEC), hackers are beating us like a барабанчик.
We often recommend to clients that they “think like hackers” when developing their security programs. The idea comes from Sun Tzu – in knowing their attacker, they can best develop their security measures.
Perhaps we should also suggest that clients look to hackers when developing their business plan.
I’m not talking about trick-or-treating, I’m talking about Information Security. (Hooo-hoo-hoo-hoo-hoo-haa-haa-haa-haa-haa)
- Wear a well-fitting outfit – If your costume doesn’t fit, or if it makes you sweat or gives you a rash, you’re going to end up taking parts of it off. Then you’ll spend the rest of the night explaining what you are and possibly forfeiting bounty. There’s no point in getting into something that you’re not going to use, it wastes time, money and energy, and you pretty much get nothing out of it. Your security program should fit like a catsuit. Black.
- If you see something, say something – Too often we’re hesitant to make the call when we see something that’s out of place or just doesn’t feel right. As human beings we are programmed to not get involved, but done appropriately it can help prevent problems from occurring. It might be a ghost, it might be an intruder. Be safe, not sorry.
- Stay away from dark houses – In the best case you’re wasting your time, in the worst case you’ll end up wandering into a bad place. There’s plenty of low-hanging candy out there, don’t get distracted by the latest curiosity. We all know what curiosity did to the cat.
- Use sidewalks and driveways – If you’re cutting across lawns or jumping fences because you think you’re going to make better time, chances are decent that you’ll end up in an open septic tank. Or a drainage ditch. Or getting caught on a pole. Shortcuts rarely are, that’s why we have standards. Stick to lighted streets and pathways. And trust me on the septic tank thing.
- Know your route – Have a plan and stick to it, but remember that your plan should account for change. If the police have closed Lincoln Drive off because someone egged Mr. Goldman’s place, be prepared to take Washington. It may get messy out there and there are no guarantees. Review your plan regularly to maximize your progress.
- Don’t walk those streets alone – Strength comes in numbers. Find people to go with you on this harrowing journey, chances are they’ll know something about the streets you’re walking and they’ll help you avoid traps that you would have fallen into otherwise. It’ll be more fun, too. And don’t be afraid to call for help if you see trouble, there are experts out there that specialize in dealing with problems.
- Check your candy before eating it – This one seems obvious, but when something is given to us we’re usually so excited we just can’t wait to open it up. Once it’s opened it’s too late, and it usually ends up installing a rootkit and stealing our banking credentials. Or giving us a toothache. Don’t judge that candy by its wrapper, and don’t even take it if it’s not coming from a trusted source. The apple from Mrs. McGillicutty is probably fine, but I wouldn’t touch that popcorn-ball-thing you got from Old Man Haversham.
- Don’t talk to strangers – There are a lot of bad people out there, and they do bad things. They’ll take your candy. They’ll even take that popcorn-ball-thing you got from Old Man Haversham. Only get involved with people you trust. If you’re going to be spending time with them, you should know where they come from, what they do for a living and if they’ve had a vendor risk assessment from a trusted security provider.
- Pace yourself – Running from house to house will only wear you out, and chowing a bag full of Reese’s will make you sick. It’s going to be a long night, and the successful will recognize that this is a continuous process. Ring door bell, collect candy, run to next house, repeat. Master your pace, master your success. Stick to your security priorities. Do too much at once and you’ll just end up exhausted and nauseous.
- Enjoy – Too many of us are heads down in the mission and we forget to stop and smell the candy corn. It’s not just about collecting the biggest bag of candy, it’s about the experience. Yes, we all have a serious job to do, but we won’t be able to take it seriously if we don’t love what we do. So love it. Eat it like candy.
There’s been a lot of chatter over the past week regarding the alleged breach of U.S. Military unmanned aerial vehicles, or at least the networks that they use to transport video streams back to Operation Command Centers in Nevada, or wherever their 19-year old operators and joysticks are positioned.
The media have speculated that a virus, introduced from external media penetrated critical networks and was doing bad things. The Government has done its best to misinform and parry, suggesting (and confirming in some way?) that whatever malware did make its way onto its networks is just a nuisance. It was even suggested that the malware was the military’s own, a weapon that somehow escaped the labs.
Of course, the Department of Defense doesn’t comment on classified networks, so there’s a good chance we’ll never know the real story.
The real question we should be asking is, who cares?
I don’t mean to sound glib, but if Uncle Sam says it’s not a problem, maybe it’s not? After all, even if video streams from Unmanned Aerial Vehicles (UAVs) were intercepted, intended targets likely wouldn’t have time to escape before they were made into Afghani pottery anyway, so what’s the big deal? Perhaps, you say, the enemy is collecting intelligence on UAV flight patterns, so that it can predetermine and thusly avoid detection. Perhaps.
Or perhaps this story is more important to the media than it is to the masses? Not unlike the incessant droning (sorry) on about malware being delivered to Android-based phones these days. It’s a [nearly] proven fact that over 10% of Android applications do things we don’t want them to do, whether they’re harmlessly hijacking GPS coordinates and personal information to push personalized ads to your browser or they’re outright malware stealing online banking credentials. Here’s the thing – people don’t care. Androids – and their applications, stuffed with privacy-violating “features”, are flying off the shelves.
And when will it be time to start vulnerability scanning our cars? We’ve already seen Subaru Outbacks compromised using integrated Wi-Fi, and many vehicles braking systems are vulnerable to attack. And let’s face it – OnStar is a mass botnet just waiting to happen. Don’t look for the “Hardened Security Vehicle” checkbox at your local auto dealer – they don’t care either.
Perhaps the Department of Defense is giving us the cold shoulder because they’re a little embarrassed. Perhaps they’ve declassified this information because it’s helpful for the information security community. Or perhaps it’s because redirection and confusion is all part of their Computer Incident Response Team (CIRT) procedure.
Or perhaps they’re just teaching us a lesson. If we can care so much about a remote control airplane flying over a desert 7,000 miles away that we’ve never seen and will never have any effect whatsoever on us, why can’t we care about the stuff we use every day?