Today kicked off, for me, the RSA conference. The best part of these types of events is the onslaught of ideas shared between peers – generally through networking and random encounters in hallways (such as bumping into Bill Brenner). Thanks first off to RSA for creating the forum for these discussions to occur.
I have the privilege of speaking tomorrow, and look forward to the debate and flow of ideas that will ensue.
While reviewing some of the research provided to attendees, I had the following observations, and wanted to share them in entirety for debate and expansion:
Vendor management by procurement SHOULD include data plus asset chain of custody, and
#infosec assurance to YOUR standards #RSAC
So basically – costs per breach are up; # attacks higher; 6 more days to resolve, & the same forms of attack
Aren’t costs per breach up in 2012 to $8.9 million the result of our greater leverage of information technology & resulting value!
Most botnet, malware, & C&C operators manage MORE devices; across WIDER geographies, & generate a positive ROI. How is your information security?
#rsac Art’s presentation was good. Agree with Taleb perspective, but it must applied at Org to match robustness #infosec
Art Coviello gave an impassioned presentation that I thought was very good for a keynote at that level. Typically there is a risk of sales (which did occur at the end, of course) material, but a couple good analogies and mental positioning. I thought his analogy to Nassim Taleb’s AntiFragile was on point (and funny since I am 1/3 through it, so very fresh in the mind) for the security operations against the cyber threats. I would expand it though to include the business process and information security compliance program. I have found that the block and tackle of information security itself needs to be robust and antifragile. The lacking of these elements forfeits the benefits of the threat intelligence he describes.
This is especially poignant to me given the relative lack of volatility in the type of attacks that succeed against organizations, and their ongoing effectiveness in breaching our company defenses.
If you are looking to enjoy the keynotes (I would recommend at least Art and Scott Charney) live or on-demand here.
RSA thoughts and sessions .. to be continued ..
Posted in Compliance, information security, ROI
Tagged 2013, apt, Art Coviello, bill brenner, cyberwar, hack america, information security, infosec, it compliance and controls, IT Controls, james deluccia, jdeluccia, rsac, Security
The attacker victim scenarios we designed are no longer appropriate. It is amazing that no less than a decade ago I was working with teams to design information security attack scenarios where we were dealing mainly with mafia, ex-intelligence agents, and loose nit groups. Now we have countries organized and attacking with some brilliant attack strategies. The sophistication, coordination, and execution of these is obvious to be conducted by military / intelligence professionals. Despite all the conjecture it has been difficult to prove, as usually only victims and logs stand as evidence. The developments of YamaTough present a hard case where a countries espionage activities may be exposed.
I would encourage reading the multiple great articles on this topic, a superb starting point is InfoSecIsland. The facts are critical to understanding how to protect company, personal, and government assets. The actions are key to understanding what is at stake, and how critical it is to be ever agile to these threats.
A takeaway from this attack and the article referenced above though are not to be more agile. It is encouraging a deep evaluation of the third parties in which you do business. This evaluation must consider every partner with the business that gains digital access to company resources. Who should this include, well at least the following:
- Vendors that maintain your systems (hardware and software)
- Outsourcing teams that manage remotely management / operational support of your systems
- Vendors that support your Cloud environments
- Vendors that provide hardware authentication and other ‘highly dependent’ technology aspects of your infrastructure
- Loan staff brought onboard by HR and contractors
A progressive outsourcing / partnering has occurred with businesses where access to key networks are allowed, at least for a temporary basis. In some cases the security design, management, log monitoring, and underlying software are all designed by third parties. The cost of overseeing, testing, vetting, and validating the integrity / security of these operations must be considered at this time.
The scenario of India as a country conducting espionage created a timeline example, while humerous, is meant to provide a simple description of the current environment:
- Businesses outsource IT operations to company
- Team that managed operations hired by offensive security group
- Same team leverages prior knowledge to attack and circumvent customers throughout region
- Business does not have security through obscurity and in fact, is naked defensively against these individuals as most of security safeguards are the same
- Business, in most cases, is not monitoring these partners for activities such as reconnaissance
- Finally, the BPO and deep network (family and financially) of businesses where outsourcing occurs creates the possibility where approved access itself may be hijacked by attackers
Organizations must seek assurance regarding the operations of third parties, but also institute monitoring, detection, and response capabilities to ensure the ability to identify and limit these events.
Other thoughts / considerations?
James DeLuccia IV
Posted in Compliance
Tagged 2012, best practices, Compliance, cybersecurity, cyberwar, espionage, forensics, india, it compliance and controls, IT Controls, james deluccia, PCI DSS, Security, uscc, Validation, yamatough
Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership. A few core highlights of that talk:
“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”
- Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
- The media attention to data breaches though may create clarity on this threat.
“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”
- Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred. So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…
“…We are moving from the Cold War to ‘code war.’”
- A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.
There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force. Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).
“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”
- Attribution challenges make kinetic responses highly susceptible to trickery / fraud.
The seriousness and sophistication of attack, motivation, and intent against organizations is palpable. The next few years equal sophistication must be applied to deterrence and management of information security.
Other thoughts, research, insights?
- James DeLuccia
There is a great deal of misinformation regarding the Denial of Service Attack that has been ongoing. While many of the facts are not fully available the misinformation is plainly visible.
- First off, a denial of services attack (ddos or dos) can be launched from anywhere in the world.
- Secondly, such an attack is typically done using computers that have been infected by malware – unbeknown to the user / owner.
- Thirdly, such attacks can be coordinated through multiple locations – the end result, no abosolute clear view as to the originator of the crime.
The Wall Street Journal Article, New Web Attacks Hit Some South Korean Sites, today blended two stories together. That of the cyberattack that is present and loose ties to how N. Korea is having leadership changes and is more aggressive militarily (a weak correlation to be sure). Another news story at The Hankyoreh paper (link is in English and available in Korean) states that 26,000 computers in South Korea were executing the DDoS attack. They provide an interesting perspective on how this attack differs from others. It is inaccurate however for them to be physically examining a computer (as shown in the picture included in the article) and it’s chips to determine the cause of the attack – it is malware (MyDoom, Conflicker, etc…)
Additional Articles with information on this denial of services attack:
The security industry has been stating the danger of allowing such malware to infect systems, and the result is now evident. This attack is only orchestrating an attack with 26,000 computers. The University of California Researchers had control of over 182,914 hosts – nearly 7 TIMES more systems, and this one attack that is ongoing is from one particular geographic location.
A note of caution, attacks such as this create a lot of noise. Such noise can be used to conceal elicit activities of criminals. In the security and audit world we expect and have in place technology to trigger alerts and initiate security protocols when such events occur. If the number of events however exhaust the resources, then prioritization begins to play a part. Businesses, and governments, must consider these conditions and risks when responding to such situations.
Situations such as these should evoke thought and action, but not necessarily motion – as Benjamin Franklin states quite eloquently, “Never confuse motion with action”. It would be ill advised for governments to erect vast regulatory bodies / Czars / Committee reviews of this situation – the cause and solution are known, just precise action and response is required.
Contrary Thoughts / Insights into the actual originators?
James DeLuccia IV
My profile on LinkedIN
I will be speaking at RSA 2009 Europe, please register and join the discussion on the future of data security and privacy (links coming soon)