Tag Archives: 2011

What does the SCADA water pump attack mean to your business…

The ability to attack, compromise, and cause damage has existed since the utility industry began connecting these systems on the Internet.  Examples, including the European nation that was attacked 24+ months ago, are easy to locate.  Yesterday an attack (more proof of concept than anything it could have really been) occurred.  The current public awareness of cyber attacks, the nation state theater risks, and transparency of this action has raised the resulting awareness beyond the closed professional circles within Information Security.    There is a number of interesting writeups and I would suggest carefully reading a few for a balanced perspective.  Two that I would recommend include:

What this means for your Utility company is that the abstract threat modeling exercise that considers these attack vectors should be conducted more thoroughly with real risk and mitigation decisions progressing up to the Board of Directors.

As for everyone else who is a customer of such utility companies, the BCP/DR plans should be updated to reflect the possibility of such a loss of services.  Business enterprise information security / risk management programs (+vendor management) should elevate utility service providers (including cellular operators).  These actions should directly impact the annual/ongoing risk assessments and establish an expectation of security assessment and assurance on a regular basis from these service providers.

It is an interesting quandry that Cloud service providers are vetted and assessed more rigorously than that of Utility service providers, the original cloud.

Thoughts .. challenges?

James DeLuccia iV

Other thoughts?

James

Convergence Risk: Google Chrome and Extensions, at BlackHat 2011

Interesting quotes from guys that demonstrated attack vectors in Google’s Chrome during Blackhat 2011:

“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said.  “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”

  • An important illumination regarding the shifting of the risk landscape.  How the user interfaces with data and the system has changed and challenges the current technology controls relied upon to safeguard the intellectual property.
  • What is the effective rate of end-point security (malware / phishing agents, anti-virus) on this new user case?
  • What is being deployed and effective – policy, procedure, technology, a hybrid?

“While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.”

  • Speaks to the issue of convergence of apps that are emerging on iPhones, Androids, respective tablets, TVs, browsers, operating systems, etc…  Similar to the fragmentation attacks of the past – where packets would be innocent separate, but when all received they would reform to something capable of malicious activity.

Interesting extension of risk here is that the platform and / or devices may be trusted and accepted by enterprises, but it is these Apps / Widgets / Extensions that are creating the security scenarios.  This requires a policy and process for understanding the state of these platforms (platforms here including all mobile devices, browsers, and similar App-Loadable environments) beyond the gold configuration build.

Another article on the Google Chrome extension risk described above.

Thoughts?

James DeLuccia

Joseph Black, ex-CIA, spoke on cyberwar and the future at Blackhat

Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership.  A few core highlights of that talk:

“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”

  •  Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
  • The media attention to data breaches though may create clarity on this threat.

“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”

  • Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred.  So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…

“…We are moving from the Cold War to ‘code war.'”

  • A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.

There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force.  Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).

“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”

  • Attribution challenges make kinetic responses highly susceptible to trickery / fraud.

The seriousness and sophistication of attack, motivation, and intent against organizations is palpable.  The next few years equal sophistication must be applied to deterrence and management of information security.

Other thoughts, research, insights?

– James DeLuccia

Analysis of McAfee’s Operation Shady RAT Report and highlights

Tis Blackhat & Defcon, so follows are my thoughts …
McAfee released yesterday their Operation Shady RAT paper.  It focuses on data captured from a command and control server that had logs over a 6 year period.  They go into nice detail breaking down the attacks; timeframe; and elude to the motivations of the (single) attacker.  What does this mean for organizations and safeguarding information.  I think this paragraph articles the value crisply:

“What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth—closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

Interesting details:

“…key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification…”

<– As we have progressed from freelance and curious to now the motivation has changed, but so has the economic model.  These attackers were concerned with the long term and therefore were financed for the long haul too.  This is a key assumption of the threat landscape that must change from prior models.  The fun days of watching attack patterns change with the annual summer school break and DefCon are over.  Businesses and models must change accordingly.

Interesting … the 14 geographic regions listed are missing one particular nation…

The description of the organizations that were breached and captured in these logs certainly is across the board.  Given the author’s mention that virtually all organization’s have been breached based on his insight it is hard to look at the list hoping to not be on the list – everyone is ..  What is interesting to me is the continued deep penetration at what I term ‘Infrastructure Level Attacks”.  Systemic attacks designed to bypass the base assumptions and safeguards – such as the encryption certificates; tokens of the 2-factor authentication; the cellphone and voicemail systems; and (as highlighted here) Communications technology company, international trade organizations that are privy to competitive information, satellite operators, and defense contractors (perhaps creating the opportunity for the recent influx of malicious control chips shipped out of China).

There have been a rich number of papers produced over the past few years that present and provide greater information on this threat.  I would encourage reading these intelligence reports as time permits.  A good site that continually has actionable information is here.

A short note on the flurry of posts and messages:

It’s Blackhat and Defcon week which means copious amounts of reports, presentations, and sometimes seismic events within the information security and intelligence space.  As interesting bits come to my attention I am posting them via twitter, and will try and post any excerpts that catch my eye.  I strongly encourage reading the full presentations and research papers.  Massive efforts went into these works, and it is now our opportunity to apply that knowledge appropriately.  I do look forward to others sharing their opinion, research, and links.

Other thoughts?

James

Planning for and Implementing ISO 27001 .. a review and ideas

Below are my highlights and comments on the ISACA article ‘Planning for and Implementing ISO 27001” by Charu Pelnekar was published recently and is available in its full detail on ISACA’s website.  Definitely worth a full read.  Below are a few highlights that leaped from the page that I wanted to highlight.

Benefits of establishing an ISMS:
  – “Enable enterprises to benchmark against peers” <– Highlights a good question, how are YOU benchmarking your information security efforts?  Are you basing it on staying out of the WSJ and riding the media wagon, or are you doing something different.  Industry surveys, publicly traded company statements, and industry sector considerations are excellent perspectives.  Considering the maturity and benchmarking that program against comparable peers – based on revenue, complexity, locations, sector, what is sensitive, customer base, and legislation are equally valuable (and seldom considered completely)

  – “Provide relevant information about IT security to vendors and customers” <– Responding to multiple client and partner information security verification audits is a necessity today.  A trend that will continue until the use of standards and their adoption is consistent and proven.  Further highlighted by the author when considering the benefit of gaining a “Comfort level of interoperability due to common set of guidelines followed by the partner organization”.

  – “Enable management to demonstrate due diligence” <– There is legal precedence that the existence, operation, and proven maturity of an iSMS to be a significant factor in determining a business proving due diligence with regard to safeguarding information.

  – “Assist in determining the status of information security and degree of compliance” <– A worthwhile pursuit and consideration for the risk management and internal teams within every organization.  Pivoting / Agility / Adaptable / (insert latest phrase here) organizations need to constantly adapt how they innovate, similarly they should evaluate the adequacy of their current information security programs (the actual program) and the effectiveness of the program.  This is not a commitment to grow, but instead to shift left and right as needed at the current time.

Costs of implementation depend on numerous factors, but a highly sensitive variable is the health of the IT organization and sophistication of the enterprise information security program.  Within the ISMS is the process of risk assessments designed to identify risks – the greater the number of risks and necessary remediation costs can be significant (with respect – this is not the cost of implementing the program, but instead of raising the operating state of the organization in line with the risk tolerance of the business.  Regardless, these must be managed appropriately in order for the ISO 27001 to be considered effective and certifiable.

The complexity to managing and operating a mature information security program that adheres to ISO 27001:2005 is dependent upon several factors, but one s standout is the scale of operations – that can be defined as “# of employees, business processes, work locations, products and or services offered”

Implementing an ISMS for an organization begins with several key and required efforts.  The sequence, thought, and support applied to each ensures that the business has an enhanced information security posture that is both sustainable and meaningful.  These include:

  1. Defining the ISMS Policy
  2. Defining the scope of the ISMS
  3. Performing a security risk assessment (on the in-scope environment)
  4. Managing the identified risks with consideration of the risk tolerance and risk criteria
  5. Selecting controls to be implemented and applied, and finally preparing the SOA.

The article published by ISACA in Volume 4 2011, available for free to all members, and the author provide a nice high level breakdown on what is required for an enterprise to reach ISO 27001 certification.  I would add that linkages is the only major high level component absent in the article.  Linkage throughout the program is essential to ensuring a cost effective and business appropriate program is established and maintained.

For those serious about maturing their organization, ISO 27001:2005 is a good objective.  For deeper understanding on what is required I would encourage purchasing a copy of the entire 2700X standard family to have full understanding on implementation; safeguard controls; and risk assessment programs.  A nice article on SANS on implementing an ISMS is available here (pdf).

Another way of considering the benefits of a mature security program…is will an organization be compliant with PCI DSS or other legislative requirements as a result of implementing ISO 27001.  Simple answer, yes. Longer answer another day.

Thoughts and challenges?

– James DeLuccia

Infrastructure Security Response, Google excludes 11M+ domains

Google officially removed a “freehost” provider from a Korean Company that was providing the .co.cc domain (link to The Register article).  This was done on the basis of a large percentage of spammy or low-quality sites.  According to the Anti-Phishing Working Group (report) this top level domain accounted for a large number of mal-ware, phishing, and spam traffic.

This defensive move by Google frames nicely a counter move to what I have termed as ‘Infrastructure level attacks’.  These types of attacks are executed through planned and global programs designed to bypass the fundamental security safeguards organizations deploy.  The popular examples are RSA SecureID Tokens and Comodo certificates.

The challenge has been how to respond equally to such attacks, and here we are seeing an exploration into this response.  The U.S. Government is exploring filters and preventive tools at the ISP level, and here we have a propagator of search results eliminating the possibility of users connecting to such domains – regardless of any possible non-malicious site.

This highlights the need to examine the information security program of your organization and the core providers.  This examination must consider risks that are known and ‘far-fetched ideas’ (such as the domain being blocked at the ISP level) that may impact your business.  Such continuous programs of risk assessment are key, but just as critical is the examination and pivoting of the program itself.  (yes.. a risk assessment of the risk assessment program).

Counter thoughts?

James DeLuccia

SEC Privacy and Safeguard rule enforced upon individuals

The SEC and FTC currently in the U.S. are enforcing information security sanctions and penalties upon companies that are victim and guilty for violating privacy and information security practices.  The applicable law and infraction varies, but needless to say the enforcement of poor decisions by companies is being scrutinized by these two agencies.

A recent enforcement action dealing with the SEC’s Privacy and Safeguards Rule (Regulation S-P) centered on three individuals that were fined for their actions.  Infosecisland has a nice writeup from back in April, which can be found here.  This article and enforcement is relevant today, and applicable to all businesses and professionals in the information security and compliance space.  Of particular interest is how the SEC framed the violation and the applied fine.  To illustrate, I have dubbed out some the names and added titles where appropriate below to create a bit of MadLib style enforcement ‘fill in the blank’ mental map:

The SEC alleged that Chief Compliance Officer / ______ violated the rules by failing to supervise ‘The Sales manager’ and ‘The President of the firm”, failing to ensure that the firm’s policies and procedures were reasonably designed to safeguard confidential customer information, and failing to update the firm’s relevant policies and procedures following the information security breaches the firm experiences between 2005 and 2009.

Finally, the SEC alleged that, by their conduct, the three former executives aided and abetted ______ in violating Regulation S-P.

“The SEC imposed a fine of $20,000 on _____ and ____ and $15,000 on Chief Compliance Officer (individually and personally).

Critically important is to always do what is right and sometimes within the security and compliance space teams are worn down.  The recent escalation of attacks of these past few years; the clear gap in the possible damages by such attacks to governments and business, and the personal harm that can result only raise the bar.

Next steps – always consider the methodical nature of managing your business’ information security program and ensure it evolves to the business relationships and threats that exist internally and externally.  Standards provide a baseline, but certainly not the immediate answer.  Other considerations?
James DeLuccia