A quote similar stated that SCADA and basically systems controlling physical machines is the new attack surface. It struck me as obvious and non-obvious upon reflection. The security of these systems tends to be Facilities and not under the scope of concern of most CISO and certainly not the CIO. That is unless the organization is structured where such operating roles are under the General Legal Counsel or the COO. The structure of the organization as it relates to operational integrity, competitiveness, and ultimately compliance – security depends upon the organizational structures being adapted to the technology age. To often we forget the value of organizational strategy shifts, and this is one that will be necessary and provide valuable returns.
How can this trickle into the tactical operations of the business?
Consider this single example?
- What controls do you have on checking the version of the HVAC units (software version) powering your data center and or corporate offices?
- Is there a security control in place to have it; be sure it can handle the load, and testing to ensure it works? I imagine yes to all 3, as these are ABC of operations
- What is the version of the HVAC PLC / SCADA element that is being utilized by the vendor and monitoring teams that is accessible remotely?
- When audits occur, do they check to be sure the device isn’t the Siemens or other manufacturer that was just highlighted at Defcon or on the news?
If this is the new frontier, we need to start structuring organizations in a manner that are designed to care for these considerations to allow for business to be agile and competitive.
Thoughts (a bit of latitude on the above terminology is requested, given I am simplifying the example to avoid to much technical specification and confusion)?
Posted in audit, Compliance, Security
Tagged 2012, attack surface, best practices, chief audit executive, cio, clo, Compliance, coo, cybersecurity, data center, defcon, it compliance and controls, IT Controls, james deluccia, jdeluccia, new frontier, organizational change, scada, Security, strategic, trend
Interesting quotes from guys that demonstrated attack vectors in Google’s Chrome during Blackhat 2011:
“The software security model we’ve been dealing with for decades now has been reframed,” Johansen said. “It’s moved into the cloud and if you’re logged into bank, social network and email accounts, why do I care what’s stored in your hard drive?”
- An important illumination regarding the shifting of the risk landscape. How the user interfaces with data and the system has changed and challenges the current technology controls relied upon to safeguard the intellectual property.
- What is the effective rate of end-point security (malware / phishing agents, anti-virus) on this new user case?
- What is being deployed and effective – policy, procedure, technology, a hybrid?
“While the Chrome browser has a sandboxing security feature to prevent an attack from accessing critical system processes, Chrome extensions are an exception to the rule. They can communicate among each other, making it fairly easy for an attacker to jump from a flawed extension to steal data from a secure extension.”
- Speaks to the issue of convergence of apps that are emerging on iPhones, Androids, respective tablets, TVs, browsers, operating systems, etc… Similar to the fragmentation attacks of the past – where packets would be innocent separate, but when all received they would reform to something capable of malicious activity.
Interesting extension of risk here is that the platform and / or devices may be trusted and accepted by enterprises, but it is these Apps / Widgets / Extensions that are creating the security scenarios. This requires a policy and process for understanding the state of these platforms (platforms here including all mobile devices, browsers, and similar App-Loadable environments) beyond the gold configuration build.
Another article on the Google Chrome extension risk described above.
Posted in information security, Security
Tagged 2011, best practices, blackhat, chrome, cloud computing, Compliance, cybersecurity, defcon, google, it compliance and controls, IT Controls, PCI DSS, Security, virtualization
Joseph Black a counter-terrorism expert spoke at Blackhat on Cyberwar and the challenges of communicating the threats to leadership. A few core highlights of that talk:
“…toughest thing about predicting terrorist attacks was getting people in power to take the predictions seriously and to do something about it.”
- Similar challenges exist within business organizations where risk landscapes may be incomplete or lack linkages across the enterprise’s business elements and information security programs.
- The media attention to data breaches though may create clarity on this threat.
“Validation of threats will come into your world,” Black said. “There is a delay to that validation. This is the greatest issue you are going to face.”
- Meaning it will occur, but definitive examples and “reasons for deterrence” will not arise until it has already occurred. So appropriate to begin maturing the minimization and management of valuable data and the incident response capabilities…
“…We are moving from the Cold War to ‘code war.'”
- A code war yes for governments, but the driver for business leaders is the notion around businesses and nation states stealing intellectual property (which is defined loosely and inaccurately by many) to create competitive alternatives OR to bolster local quality of life for a unit of people.
There are interesting public examples where digital attacks created an advantage for an attacking force, and achieved the results that would have required military kinetic force. Two examples include the hacking of Syria’s radar software in 2007 that allowed for the bombing of a nuclear reactor (Syrian radar screens were made blank), and Stuxnet that caused the centrifuges to spin aggressively while displaying readings to operators showing normal operation (this caused a multi-year negative impact to these plants).
“…the problem with cyber warfare is the “false flag,” where countries responsible for cyber attacks will be able to plausibly deny responsibility or otherwise shift the blame to a rogue element.”
- Attribution challenges make kinetic responses highly susceptible to trickery / fraud.
The seriousness and sophistication of attack, motivation, and intent against organizations is palpable. The next few years equal sophistication must be applied to deterrence and management of information security.
Other thoughts, research, insights?
– James DeLuccia
This week we learned that after considerable effort a vulnerability has been uncovered within the popular and previously most secure method of wireless encryption – WPA2. In classic form, the researcher will demonstrate at Defcon 18. You may find additional (repetitive) writings here and here.
To recap WPA2 has been the recommended standard for many public industry best practice guidances, and has been the classic default in most wireless deployments. However, this is not a “serious problem“…
Deploying wireless has been proven to be insecure since its inception, and as such best practices consistently advise that these wireless networks be deployed “as if they they were public connection”, and therefore are secured accordingly. Specifically wireless networks are advised to be deployed on a network connection external to your corporate data network. In this architecture the user may gain access to the public internet (with advisable filtering and automated trigger monitoring to prevent a slew of spam generation), and simply leverages their already familiar VPN connectivity software. This provides a secure tunnel for all data transmissions and eliminates the past, present, and upcoming wireless encryption vulnerabilities.
The PCI DSS standard in fact requires compensating controls if an organization chooses to deploy wireless to enhance the existing security state where wireless is required.
Wireless is a great business enabler, but should be architected, secured, and monitored in a manner that reflects the inherent trust aspects raised with the implementation.
A nice writeup, as always, can be found at Darknet.
Posted in Compliance
Tagged 2010, best practices, cloud computing, Compliance, data breaches, defcon, it compliance and controls, IT Controls, pci, PCI DSS, Security, wpa2
The securing of information assets is the core to ensuring operational integrity for every business, and is supported by security and compliance safeguards. The near constant stream of innovation over the past 10 years has provided near ubiquitous wire(less) connectivity to an abundant number of devices. Matched equally to this innovation and connectivity is the transportability of data. Of course the data must be transported and portable; however, it must be done in a manner that supports the organization’s entire strategic objectives.
The reality of wireless technology has reached a crescendo with regards to WIFI / 802.11 within the payment card industry where encryption and two factor authentication was required to leverage these technologies. Due to a number of data breaches (presumably), specific wireless technology is being banned from the payment card network. Guidance on the wireless guidelines may be found here.
These lessons – that wireless technology can be eavesdropped; that the data can float literally anywhere (for confirmation turn on your wireless network card on an airplane and fire up a DHCP gateway application); that the only way to secure it is through strong crypto and TWO factor authentication. All of these seem clear, but the last one should be elaborated on to understand that risks of Bluetooth and RFID.
2 Factor authentication beyond ensuring the identity of the individual provides a far more important safeguard – that the user intended to make a connection and goes through the handshake process. This does not exist in these other technologies, and creates a great deal of risk to the users of these systems.
To provide specific context to why Bluetooth and RFID are risky business without proper safeguards consider the following:
- Bruce Scheiener’s post on how passport RFID is dangerous and susceptible to attacks. Here is a Wired article with more details.
- DefCon radio scanners “read” and “recorded” the information off of security badges from the attendees. This is the most security conscious / paranoid group that you can assemble, and this scanner caught unsecured badges.
- When attending it is near unanimous that all wireless radios should be disabled
- The data on these RFID type devices contains things as simple as identifiers to full names and departments.
(iphone focus of post, but applicable to all such capable devices) prior to getting on a plane TO Blackhat / DefCon. The reason is simple: it is near certain that someone is running a scanner.
In the end these technologies do provide essential functions, but should cautiously deployed where security can be ensured and is tested properly. Care should be given to the information applied to these transmitting devices.
NIST has a nice document here (800-98)
Posted in Compliance
Tagged 2009, 802.11, best practice, blackhat, bluetooth, bruce scheiener, Compliance, defcon, insecure, passport, rfid, Security