Sensitive Data leaked onto P2P networks… how to safeguard assets?

An article was highlighted in a LinkedIN Group (that spawned a discussion) published by SC Magazine entitled, “First lady’s safe house location leaked on P2P“.  The article breaks down the concern that lawmakers and regulators have with P2P networks due to the recent release of sensitive data.
You can find the article here, and the U.S. Committee on Oversight and Reform transcriptions & webcast here.  The chairman’s closing remarks (short) are here on “predator-to-prey” networks.

I strongly advise reading through these to understand the current risks and perception of risks that exist.
The article is a good overview of a problem, but I would contend that the attack / threat / vector is not as described by the testimony or highlighted in this article.  They state the problem is the P2P technology that lead to the disclosure of the sensitive data.  That is similar to blaming the highway to causing an accident.  Professionals within the business of protecting assets and managing operations must have safeguards for the data that transcends the risks of the technology.
Safeguarding data begins with a few simple efforts (a good initial start…):

1. Identify what is worth protecting (this definition allows for PII, PHI, Top Secret, Competitive importance)
2. Determine the flows of data (i.e., the Rabbit holes… follow where the data from origination to retirement)
3. Introduce process efficiencies (i.e., reduce the rabbit hole dead ends; add automation where possible; simplify the process to reduce the final assets requiring protection)
4. Develop and define the necessary Safeguards to protect these assets
5. Compare existing controls (for the remaining rabbit holes or “business processes”) and eliminate duplication
6. Finally define performance metrics of these controls, a timetable, and deploy

It is dangerous, and unfortunate that the committee seems to be hunting for a culprit that can be regulated, to assume and believe that P2P is the simple problem.  When in fact it is the current state of security within the Nation’s critical infrastructure, and this is as much an internal people problem as an internal technology compliance problem.  I do agree with the elimination of software that is known to be at risk to attack, but in the client-browser attack world we live in today that would include things such as Internet Explorer!  Removing access to Torrents and other p2p networks only stifles innovation and increases costs.  A more risk aware and intelligent method needs to be devised that allows the government to gain access to valuable resources without placing sensitive information at risk.

I look forward to anyone’s take and experience on solving this challenge,

Kind Regards,

James DeLuccia IV

See me speak at RSA 2009 Europe on a new framework for addressing social, smartphones, netbooks, and their risks

Order my book online at Amazon where I elaborate on how to develop an Enterprise Risk Management Program, based upon NIST and years of client engagements.

IT Strategy and Governance: Avoiding the pitfalls of Perception Bias…

In a recent article for the Payment Card Industry magazine – Secure Payments, I introduced the conceptual idea of Information Technology Governance as a bicycle wheel with the organization being made up of the spokes (representing all initiatives – contractual; regulated; competition necessitated), and the rounded wheel depicting the operating strategy of the business fully integrated and inter-dependent.  Check out the article here online (starting on page 24), or join the SPSP and receive complimentary free copies in the mail.  I distinguish the challenges of organization’s focusing on single regulations as a means to orchestrating their security and compliance programs.  The concept of creating a custom control framework is articulated and broken down in IT Compliance and Controls that I published last year with John Wiley and Sons (for those looking for greater discussion and practical advice).
Why is that wrong – to extend upon the articles points:  The information technology operations of the business are unique to every business, as unique as that of the culture of the business.  While the parts that make up the information technology (routers, switches, clouds, software, etc…) the combination and implementation make up the competitive advantage of the business.  So, if following one regulation is not appropriate for all businesses, is it appropriate for those within that particular industry?  Simply answered, no.
The organization, in the instance of PCI DSS, is susceptible to many different risks.  These risks relate to geography, staffing, operational decisions, and external factors to the business.  Each standard is conceived under the premise that under a single environment XYZ are the risks and appropriate mitigating responses.  This premise falls apart when additional concerns, assets, and risks are introduced.
IT Strategy and Governance must constitute a merging of business aptitude with technology capability.  This shall be a topic that we will revisit with greater specifics and tools to achieve this objective.  Thoughts / Concerns?

Kind regards,

James DeLuccia IV

Denial of Service Attack: S. Korea U.S. Cyberwar and Intelligence

There is a great deal of misinformation regarding the Denial of Service Attack that has been ongoing.  While many of the facts are not fully available the misinformation is plainly visible.

• First off, a denial of services attack (ddos or dos) can be launched from anywhere in the world.
• Secondly, such an attack is typically done using computers that have been infected by malware – unbeknown to the user / owner.
• Thirdly, such attacks can be coordinated through multiple locations – the end result, no abosolute clear view as to the originator of the crime.

The Wall Street Journal Article, New Web Attacks Hit Some South Korean Sites, today blended two stories together.  That of the cyberattack that is present and loose ties to how N. Korea is having leadership changes and is more aggressive militarily (a weak correlation to be sure).  Another news story at The Hankyoreh paper (link is in English and available in Korean) states that 26,000 computers in South Korea were executing the DDoS attack.  They provide an interesting perspective on how this attack differs from others.  It is inaccurate however for them to be physically examining a computer (as shown in the picture included in the article) and it’s chips to determine the cause of the attack – it is malware (MyDoom, Conflicker, etc…)

Additional Articles with information on this denial of services attack:

• My own initial thoughts and best practice responses here at PCI DSS & IT Controls Explained
  
• CIO Magazine’s article DDOS Attack Takes Down South Korea Websites
• Dark Reading’s Article: North Korea may be behind DDOS Attacks on U.S. and Korean Government Sites
• CSO Security and Risk Online has an interesting list of the targets, List of US, South Korean sites targeted in ongoing DDOS
  

The security industry has been stating the danger of allowing such malware to infect systems, and the result is now evident.  This attack is only orchestrating an attack with 26,000 computers.  The University of California Researchers had control of over 182,914 hosts – nearly 7 TIMES more systems, and this one attack that is ongoing is from one particular geographic location.

A note of caution, attacks such as this create a lot of noise.  Such noise can be used to conceal elicit activities of criminals.  In the security and audit world we expect and have in place technology to trigger alerts and initiate security protocols when such events occur.  If the number of events however exhaust the resources, then prioritization begins to play a part.  Businesses, and governments, must consider these conditions and risks when responding to such situations.

Situations such as these should evoke thought and action, but not necessarily motion – as Benjamin Franklin states quite eloquently, “Never confuse motion with action”.  It would be ill advised for governments to erect vast regulatory bodies / Czars / Committee reviews of this situation – the cause and solution are known, just precise action and response is required.

Contrary Thoughts / Insights into the actual originators?

James DeLuccia IV

My profile on LinkedIN

I will be speaking at RSA 2009 Europe, please register and join the discussion on the future of data security and privacy (links coming soon)

IT Strategy: Launching the Right Projects at the Right Time

A recent article on Bank Systems and Technology highlights a very difficult and often misunderstood need and method of aligning technology projects to core business requirements.  The author is a thought leader in the space and provides great information to consider.  There are specific enhancements I would make to their approach.
A common mistake in the technology world is to engineer for engineering’s sake.  This is followed based on the idea that if we add more features and increase the throughput, surely the business will be enamored by the results and grateful for the effort undertaken (whether we are buying a product or having developed it internally).  This is fundamentally the problem with the discrepancies that result.  Technology does not need to simply extend itself, but should be evolving to meet the new challenges – i.e., the same appliance configured and deployed in the same manner may not be appropriate.
Considering this discrepancy in thought, I would suggest an alternate set of project prioritization checklist for business and technologists:

1. Technologists and Lines of Business owners should collaborate on the near term challenges of the business -> i.e., identify the problems holding back the business
2. Based on this business problem list, identify the possible solutions – considering existing technology and alternate deployments
3. Identify the low hanging fruit – i.e., sort the technology solutions by cost/effort with that of the business problems, and tackle the quickest returns first.
4. Projects should show returns in weeks, not months
5. Projects should be accountable to the Line of Business Owner, and it should be reflected in their P&L
6. Repeat steps 3 – 6, and every couple of months restart at the beginning – especially as the business environment and operating environments change (As the business changes, so must the technology contributing to operations).

Additions/Enhancements?

Thank you to Deb Smallwood and Karen Furtado of SMA for contributing the article that inspired my own process.

Best regards,

James DeLuccia IV

Denial Of Service Attacks (DoS); Treasury, DOJ, NYSE, S. Korea

These past few days have seen numerous packet attacks against some very prominent institutions.  Now while most of these are simply PR and marketing front-ends, and not truely the operating environments, the attacks are annoying and introduce a few specific threats and concerns that should be considered today in your environment and for the future of the internet.

• Wall Street Journal Article on South Korea and U.S. Sites being attacked
• MarketWatch article on Denial of Service attacks on NYSE
• NYSE Press Release on CyberAttack
• CNBC Article on NYSE Cyber Attack (may require refresh; reports of web page being ‘unavailable’, a bit ironic)

More packets are not the answer – The typical response to an attack is to attack back, or add encryption, or create greater integrity checks on the data.  Adding to the pile of data pushing through a pipe (by increasing size for cryptos and md5 hashes) only clogs the system that is already clogged.  Careful consideration should be taken in rolling out additional solutions without consideration to the matrial effect such solutions and technologies will have on the environment and attack threat.

Seperate is not always separate - It is common and best practice to operate core business services on secure environments that are resilient to such DDoS attacks and other common public internet attack vectors.  Unfortunately sometimes the technical architectures overlap and cross as a result of cost management and simple lack policies and procedures.  These public attacks should highlight the need to carefully review:

1. Your current redudant and resilient environments
2. Careful review and continued adherence to your change control and approval program.

Attacks may appear closer then they appear – These attacks are originating from someplace, but not the place where one thinks.  The attackers have employed trojaned computers from around the world and are orchestrating this through a command and control server.  This is a very common practice.  Investigators, businesses, and governments should be cautious in pointing fingers as to the source due to the ability to take over systems from one country or from the whole world.

Regulating bandwidth – Today most organizations throttle bandwidth for different types of traffic and based on source-destination ip addresses.  It is quite conceivable we could live in an online world where DoS attacks are ongoing and continuous.  The next step in the arms race would be a land grab on routers and other devices to secure virtual private channels.  Conceivably one could see Google locking a specific set of traffic for every network device.

More thoughts spring to mind, but this is a reminder to take technology problems through a thought through strategy, and not through one-off shots.

comments?

Kind regards,

James DeLuccia IV