Tag Archives: deluccia

Russians used non-public exploits to hack governments; Debunking: skill vs. budget

blind-men-and-the-elephant

Organizations being hacked is not always the result of superior adversary, but more often than not (I think the figure is closer to 85% defender mistakes vs. 15% “very skilled) the result of poor defenses. The recent Russian hacking highlights against the White House website (note that GAO rated MOST Federal agencies as failing w/ regards to their information security postures) was noted as skilled, because they used yet known vulnerabilities. This is a generous leap in conclusion.

Their sophistication is not a factor here, but they have budget to buy such vulnerabilities off the open market. These are easily available and a successful attack could be orchestrated with less than $10k. According to public sources, the very expensive vulnerabilities cost around $100k. Easily within the reach of any financed attack group.

As we enter the week of RSA, and likely a slew of discoveries that are released this week let’s be pragmatic on their impacts and the defenders role.

They’ve determined that APT28, a politically-motivated Russian hacking group, used unpatched exploits in Flash Player and Windows in a series of assaults against a “specific foreign government organization” on April 13th. Patches for both flaws are either ready or on the way, but the vulnerabilities reinforce beliefs that APT28 is very skilled — less experienced groups would use off-the-shelf code.

via Russians are using undiscovered exploits to hack governments.

See you at RSA!

James @jdeluccia

State of compliance vs. compliant, re: New PCI Compliance Study | PCI Guru

A new study was released by Branden Williams and the Merchants Acquirer Committee (MAC), and it is worth a read. One aspect that jumped to me is the percentage of compliance vs compliant rates shared in the study. The difference here is those who have represented being PCI Compliant through Attestations of Compliance (AOC) vs. those who have had their programs pressure tested by the criminals of the world, and been found wanting.

Here is the snippet from PCI GURU that highlights this state of discrepancy:

The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants.  Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments.  However, most troubling is that Level 4 merchants are only 39% compliant.

Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011.  Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant.  Level 2 merchants were reported to be at 91% compliance.  Level 3 merchants were reported at 57% compliance.  As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.

via New PCI Compliance Study | PCI Guru.

Here is the link to the report from Branden & MAC

Board of Directors, CISO, and legal should all care deeply that PCI (and of course and certainly other contractual agreements) security is achieved honestly. To often organizations view this like registering a car with the government. This is far to complex and impactful to people within and outside a given business. The cyber economic connections between proper, efficient, and effective security all lend to better products in the market and more focus on what the business is driving towards.

Is your program honestly secure and fully addressing these least practice principles?

Best,

James

Bank Hackers Steal Millions ($100M+) via Malware & long campaign – NYTimes.com

A good article was released on the NYT today highlighting an elongated attack into up to 100 banks where methods were learned by attackers, and then exploited. What is interesting here is that the attackers studied the banks own processes and then customized their behaviors accordingly.

It would be difficult to imagine these campaigns to succeed for such a long period as occurred if the malware was detected (which is possible with interval security process studies), and or the bank processes were re-examined by risk officers for activity within the dollar range thresholds. It is typical for data to be slowly “dripped” out of networks to stay below range (hence when signatures are essentially worthless as a preventive/detective tool), and thus similar fraud behavior is needed at the human/software process level.

I look forward to the report to analyze the campaign and share any possible learnings beyond this surface article. Two highlights of the NYT article jump to me, include:

Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.

via Bank Hackers Steal Millions via Malware – NYTimes.com.

The report is planned for release on Feb 16, and I hope there are substantial facts on the campaign.

Thanks for Kaspersky to continue to lead research and providing solutions.

Best,

James

 

How a leader works across teams – Battlefield Leadership series

La Fiere

At La Fiere Bridge and throughout Normandy on the day of the invasion, soldiers were separated from those that they had trained with for over two years. The leadership ranks and familiarity were lost. Most men were in the wrong place, unsure of their location, without their gear, and were forced to proceed alone. The training of regrouping and proceeding did not serve the Airborne well on that first morning of battle.

What could be described as a case study in disaster is instead one of success. These individuals proactively began to join up with other members of the Allied forces. As the groups grew from two, to four, to ten, and onward, the natural command structure came into force. The individuals became effective in their fields and began to seek out their objectives as a whole.

This was possible due to the training instilled in each other, the respect they had for service they were in, and the ingrained ‘take-the-initiative’ culture of each leader. This was certainly true for the Airborne, but also can be found with the Infantry landing on the beaches.

Business Reflections…

The success here is broken down to two main areas: respect and training. Each individual knew what was demanded of them and what was demanded of the individuals around them. There was an appreciation and respect for the chain of command and authority. This respect was carried from the training to the battle fields. Leaders demonstrated their experience and capability with the troops from the beginning up to the bitter end.

Following the military analogy in business, the battle at La Fiere Bridge conveys a need to have an organization that promotes respectable individuals based on skill and capability. Business success also requires some form of hierarchy that instills direction and command within the units. The hierarchy in some business can be quite flat but even in the flattest organization, there are those who are the ‘go-to’ employees due to experience, budget, and capability to make larger company decisions. This business structure also allows for the smallest of groups to function without the most-senior leadership, so long as there is some senior party involved.

If an organization establishes the first two baseline requirements (skill and capability), it is able to mix individuals and teams together on an as-needed basis. The caveat here is a shared awareness on the ‘command objective,’ or simply ‘the big picture.’

The potential to mix resources has proven highly effective in every branch of the military and is true in business as well. Deploying a team of pure technical individuals is a mistake, and one of only business-minded individuals is similarly at risk of failure. The benefits of diversity within an organization are innumerable. The key here is to instill a level of respect through authority, experience, and competency among diverse crowds.

Takeaways:

  1. Does your organization have a hierarchy that is based on merit?
  2. Is the culture of your business one that respects the established hierarchy?
  3. Is the command objective known?
  4. Is the capability and competency of all levels consistent to allow for the smallest teams to achieve command objectives?
  5. What is the effective size of the teams and what supports are offered to the teams?

What is Battlefield Leadership and what is this series about … 

This is the final paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

Overcoming team, enterprise, and self analysis paralysis – Battlefield Leadership series

The Only Thing Wrong with Nothing Happening is the Fact that Nothing is Happening

A leader must be effective in the following tasks:

  • Invigorating a unit with disparate needs.
  • Managing time. There is always something a leader can do. Always.
  • Self confidence. Leaders must trust their instincts and previous experiences.
  • Innovation. When confronted with a situation different than planned, a leader needs to devise a new plan of attack.

The battle at Utah Beach demonstrates this with Roosevelt’s commands upon landing in the first wave. Roosevelt succeeded by leading the troops and deciding on the next actions quickly according to factors of the time.

Port en Bessin

Business Reflections…

As a leader of self, family, and business one must adopt these principles. The ability to positively effect these three factions is paramount to success. To succeed in life, one must adopt the following capabilities:

  1. Recognition of scenarios.
  2. Energy to execute.
  3. No hesitation, no analysis; paralysis avoidance.
  4. Foresight, having vision on the second step and continuing forward.
  5. Escaping the echo chamber of the mind and protocol.

 

What is Battlefield Leadership and what is this series about … 

As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

How do you decide what is Critical vs. Important – Battlefield Leadership series

The Difference Between Critical and Important

The understanding of self and team dynamic is paramount to success in the business world. The definition of success is ‘the achievement of the general objective.’ All too often individuals, teams, and companies lose focus and become distracted during action. Knowing what is important, being able to recognize a distraction, and refocusing resources on what is most critical are the best steps to success under fire.

Hillman Battery

Even today, A walk through Hillman Battery shows the defensive position of the Germans in the immediate path of the British Infantry. The Allies’ most critical task was to liberate Caen after the invasion, but the Allied (British) unit became distracted with destroying a defensive obstacle and resulted in being stalled for an entire day. Ultimately, The Allies were forced to repel counter attacks by the Germans along their flanks which delayed liberation of Caen until July.

If you are unaware of this part of D-Day, you can check out Stephen Ambrose’s book D-Day, which provides some rich details.

Business Reflections…

In business the correlation of ‘team’ and ‘self’ is critical. Often times, important resources are lost when the team is disjointed. For example, wasting time (our most valuable resource!) can occur when you lose sight of the bigger picture. Thus, breaking down the big picture and defining what is important to you and your team allows for clear establishment and allocation of resources.

How does one avoid distractions? How can these be identified, measured, managed, and pushed off? Is the philosophy of saying ‘NO’ to everything but that which is the ultimate goal valuable? How does one position teams to understand the big picture and their critical objectives? Is the communication chain with choke points necessary, or can these be empowered within the teams?

  • Myself: The ‘big picture’ is being a parent directly and in the presence of my daughter. My secondary task is racing, training, and writing to better myself and others.
  • At Ernst & Young: Our Big Picture is realizing vision 2020, the creation of a Better Working World. My teams constantly seeking to create the best security and compliance programs based on global standards that are realized through the eyes of practitioners 
  • What are yours?

 

What is Battlefield Leadership and what is this series about … 

This is the fourth paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

Product development – Battlefield leadership series: WN60 – defensive positions by Germans at Omaha Beach

Leading up to the invasion of Normandy (read this book on the topic, 2 week perspective shifting emotional journey), the leaders of each side had differing ideas about when an invasion should and would occur. The Allies came to the conclusion of low to mid-tide times, and the Germans believed that that the Allies would prefer to invade during high-tide.

The Germans built obstacles around the Omaha Beach shore. They created mines throughout the beach that would be hidden during high tide. Based on gun placements along the cliffs, the Germans were confident that this would be ideal in protecting their own. After preparations were finished, the Germans had dozens of gun placements providing criss-crossing machine gun fire over the entirety of Omaha Beach. As history shows, the Allied casualty rate indicates exactly how successful these gun placements were.

In preparation for attack, the Allies took the opposite perspective. Low tide provided easy exit pathways later at high tide. Low tide also allowed the Allies to see the obstacles, carefully avoid them, and easily destroy them. During the battle, the removal of obstacles allowed for a continued steady landing of forces after the initial invasion.

The Allies won; they got Omaha Beach. They were able to exploit gaps in the German defensive strategy through the application of carefully planned actions.

Business Reflections…

In a free market world, there is always someone who sees an opportunity that others do not. The advantages to each opportunity are weighed and measured. The result can be great or completely opposite. During the invasion of Normandy, fire from the Germans required the infantry on the ground to adjust from the original plan (most Allied troops were landed in the wrong zones, without the equipment they needed, and the general leadership structure was fractured due to the loss of so many soldiers at the landing). This ability — the ability to go off course of the original plan in order to find success in the heat of battle — is crucial to businesses and their teams.

Leaders are not always on the ground and cannot be effective if the teams have to seek out answers prior to taking an initiative. The successful Allies learned from prior landings to implement the following (all applicable to businesses as well):

  1. Training, a lot of training. The troops were trained clearly, relentlessly, and aggressively. The training included hands-on challenges with similar landscape and environmental hurdles.
  2. Building culture. Teams, squads, packs, etc. of individuals were grouped together, in most cases, since enlisting. These groupings created mass cohesiveness and inspired troops to push themselves and their fellow soldiers further than they thought possible (as in the desire to ‘stand strong in front of their comrades’).
  3. Unit command – localized leadership and decision making allowed for the teams to respond, re-group, and deploy without micro-managed leadership (the Germans required authority to engage and move assets, and thus were to late in being effective in resisting the invasion force).

Leaders must consider how they are embracing the above, and how they have made themselves leaders instead of micro-managers with teams executing check-sheets. 


 

What is Battlefield Leadership and what is this series about … 

This is the second paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James