Topics for deeper study from the Commission on Enhancing National Security released on 12/1/2016

A few sections that I feel strongly about and look forward to studying more, and hopefully helping teams work on generally.

 

This feels very aligned with themes and success patterns within the development advanced technology space. There is an art though to these metrics and I am interested on the philosophy, raw inputs, and weight placed upon the 1,000s of possibly collected metrics:

Action Item 5.3.3 OMB should integrate cybersecurity metrics with agency performance metrics, review these metrics biannually, and integrate metrics and associated performance with the annual budget process. (SHORT TERM)

The idea of creating consistency and similarity seems to have a possibility of weakening the resiliency of the currently structured components. In that variety of administration, build, procedure, and custom threat augmentation all weaken with consistency. This will be interesting to see based on historic events. Cost wise I see an advantage, resiliency I am hesitant:

Recommendation 5.1 The federal government should take advantage of its ability to share components of the information technology (IT) infrastructure by consolidating basic network operations.

Well this sounds absolutely identical to the initiative that Mudge and his wife have setup in Washington and they presented at DefCon, well done:

Action Item 3.1.1 To improve consumers’ purchasing decisions, an independent organization should develop the equivalent of a cybersecurity “nutritional label” for technology products and services— ideally linked to a rating system of understandable, impartial, third-party assessment that consumers will intuitively trust and understand. (SHORT AND MEDIUM TERM)

 

Maybe if we stopped stating roles and responsibilities to regular consumers of our technology and spoke to them in English, as I learned the hard way in my own Consumer ‘roles and responsibilities’ a part of How Not To Be Hacked:

Action Item 3.1.3 The FTC should convene consumer organizations and industry stakeholders in an initiative to develop a standard template for documents that inform consumers of their cybersecurity roles and responsibilities as citizens in the digital economy

More to follow … hoping there is more transparency around these results and the process to enhance our Nation’s future success and safety.

James

https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf

Commission recommends an oversight agency, COMMISSION ON ENHANCING NATIONAL CYBERSECURITY

As many know, the 100 page report (really only about 50 if you exclude the appendices) highlights a lot of findings to shore up the government’s cybersecurity posture. As I study the findings and actions, I will share highlights.

Action Item 5.5.2 Congress should consolidate cybersecurity and infrastructure protection functions under the oversight of a single federal agency, and ensure this agency has the appropriate capabilities and responsibilities to execute its mission. (SHORT TERM)

This is something that I and others have warned against. Not that it shouldn’t happen, but if private industry doesn’t shore up the cybersecurity issue this will become a legislated and enforced area of business and technology. There is a path for this to avoid legislation and oversight, but that may not be viable if we continue to have major citizen impacting issues.

Full report: https://www.whitehouse.gov/sites/default/files/docs/cybersecurity_report.pdf

Thoughts?

James

Active Defense for Products, Example: Facebook | TechCrunch

I have highlighted that product teams need to move beyond security (preventing classic buffer overflows) to introducing cybersecurity within the logic of their application for real world scenarios. This active defense (called many things) is essential to having our products operate in hostile environments.

Facebook shared an example how they structure their product (authentication) to bolster the safety for it’s users – even when they are using products / platforms (Android older versions) that are proven to have backdoors and malicious code exploits. This is a great demonstration and opportunity for self reflection:

  1. How have you enhanced your product?
  2. Are you just ‘scanning’ and closing tickets or is your cybersecurity intelligence being applied to functional requirements?
  3. Is your ratio of Development engineers to Cybersecurity engineers appropriate?

Facebook can’t force you to use two-factor identification, even though it knows you would be safer if you did. That forces the social media giant to find other ways to build in safety for you. Alex Stamos CSO says, the company actually monitors black market password databases, looking for password matches against its user base, and warning people when they find compromised ones.

Source: Facebook wants to make you secure no matter how hard you make it | TechCrunch

Attacking the attacking IoT Botnet: Invincea Labs’ Killing Mirai: Active defense

While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems…So why not use their own strategy against them?

Source: Invincea Labs

A nice write-up about another contrarian approach to defeating botnet coordinated attacks against online systems. The concept of exploiting an operating botnet is interesting, and in this demonstration successful. What I found most interesting was the introduction of specific active defense methods that businesses, service providers, ISP, OSP, and DDoS mitigation companies can / should / may begin to leverage.

How is your company leveraging active defense? Not specifically counter-attacking, but other methods? In my work around product security, I see the concept of predefining attack scenarios and setting up safeguards in the code (i.e., if X becomes available do Y… not simply stop buffer overflow, but acceptance of an event and establishing the next two steps to continue operations).

Within autonomous infrastructure, cars, online cloud / container environments this now must be instituted. The complexity and fun is in the scenario analysis and multi-variable conclusion requirements.

Glad to see others thinking outside the box.

James

 

 

IoT Botnets .. White label risks .. Bad customer experience .. and what it means from our post IoT Attack Analysis, Threatpost

Overview

Iot devices are the new emerging world .. roughly 10 billion such devices are in our daily lives at this moment, and this number is expected to multiply quickly. What are these devices – look at your wrist, your home thermostat, your TV, your lighting, the HVAC at your office, the traffic (ground and air) systems, and billions of more internet connected sensors around the world.

IoT hacked, weaponized

Most recently, and publicly, an online journalist website was taken down with the use of commandeered consumer IoT devices (about 500,000). This was not hard, and can easily be replicated by anyone with about an extra 10 hours on their hands (and a bit of legal protection). The analysis linked below is rich and worth diving in, but I wanted to highlight a different view point:

  • First, White Label risks, if you are branding a chip, gadget, component, software package, and such from another business – YOU must ensure the technology is up to your standard. Secure, high quality, safety to the user and an enjoyable experience. Liability risks would be interesting to explore, but beyond those costs …
  • Second, customer experience ruined with your device / service. If you had a vulnerable piece of technology (because you didn’t vet it), and then every device you sold was suddenly rebooting, not working, ruining that vital NetFlix binge, etc …. how do you think consumers will react? Not a pleasant scene given how hard we each work to build beautiful customer experiences with our products.
  • Finally, this problem won’t go away. Everyone of those vulnerable (500k!!!) devices will ALWAYS be vulnerable given that the weaknesses were hard coded (permanently written into the product), and cannot be changed. Not a fun recall process and with so low margin, how many will actually mandate it / be required to do so / who is looking over this fast and loose area of products?
  • I firmly believe we can do better, must do better, and will either be be given the chance or mandated to do just that. How are others vetting these processes? How could all of these white label sourcing / procurement teams have caught this sooner? How complex would it have been to detect and validate? Given the amount of successful attacks on this single product, it seems quite easy to have accomplished. Tongue and cheek, I’d recommend my book that I wrote for my family, How Not To Be Hacked, as it highlights specifically NEVER to leave default passwords – but in this case, the vendor made them permanent.

Let’s do better together and make richer experiences. The only true solution to stopping these zombie IoT Devices will be for carriers to block them wholly on the wire, Internet-Bricking / Banishing them to an offline world.

The culprit behind the KrebsOnSecurity.com and OVH attacks is traced back to one white-box DVR manufacturer, China-based XiongMai Technologies. The company sells white-labeled DVRs, network video recorders and IP camera circuit boards and companion software to a large number of vendors who in turn use the technology in their own products, according to Flashpoint blog post on the DDoS attacks posted Friday.In the case of XiongMai Technologies, it made the fatal error of using a default username “root” and password “xc3511” combination on each of the 500,000 devices used in the DDoS attacks.

Source: When DVRs Attack: Post IoT Attack Analysis | Threatpost | The first stop for security news

How did the Google Web Server team achieve reliable, secure, and become the most productive team?

What does it take to transform your application development from Waterfall to Agile to DevOps to CI/CD? A lot … but at some point, all of the gears, gadgets, widgets, and funding won’t make the possible happen without one thing. A culture to holding integrity – to the code, to the doing what you know is right. Simply put, leadership and air cover matter a whole lot in the beginning to change.

I love this quote below from Bharat Mediratta on how ultimately they made automated testing (ahem, Security, Integrity, Code Quality, Privacy, and Compliance) a mandate for everyone – no one could submit code that broke the application (pipeline).

What did they do precisely, what is that magic bullet?

They created a hard line: no changes would be accepted into GWS without accompanying automated tests. They set up a continuous build and religiously kept it passing

Source: The birth of the automated testing culture at Google

There is so much to learn and we can do it together – see Gene Kim’s current works the DevOps Handbook, and join his knowledge dropping newsletters to get more insights.

Thanks Gene for building our Tribe (Seth Godin would be proud),

James

Why you need consolidation of your threat more than threat intelligence – Someone Is Learning How to Take Down the Internet – Schneier on Security

Bruce is by far the most prolific writer and researcher in security. He states things as they are and frames challenges brilliantly. Please check out his site, bookmark it, and be sure to read the comments – they are shockingly worth your time. He recently posted about DDos and the profiling with an aim to perhaps, Take Down the Internet.

While that requires our attention, there is a call out on – what can we do? Well, I see one immediate takeaway as it applies to your business, safety, and ongoing prosperity … but first a quote from the article:

The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.

Source: Someone Is Learning How to Take Down the Internet – Schneier on Security

So if someone is employing multiple attack methods they are testing your defenses … that begs the question:

  1. Do you have your own internal threat intelligence shored up to be smart and effective in this area?
  2. Is fraud a risk and are you able to identify these risks from different angles?
  3. Are you data mining all of your logs (across the enterprise if you are so large) for such findings and nuggets of importance?
  4. Are you capturing the right data to conduct such an analysis – it requires a bit of deep integration across IT and your product teams AND your suppliers

So much can be managed with a bit of insight and action … please help keep our Internet operational, pleasant, and your business available.

James