Tag Archives: deluccia

Russians used non-public exploits to hack governments; Debunking: skill vs. budget

blind-men-and-the-elephant

Organizations being hacked is not always the result of superior adversary, but more often than not (I think the figure is closer to 85% defender mistakes vs. 15% “very skilled) the result of poor defenses. The recent Russian hacking highlights against the White House website (note that GAO rated MOST Federal agencies as failing w/ regards to their information security postures) was noted as skilled, because they used yet known vulnerabilities. This is a generous leap in conclusion.

Their sophistication is not a factor here, but they have budget to buy such vulnerabilities off the open market. These are easily available and a successful attack could be orchestrated with less than $10k. According to public sources, the very expensive vulnerabilities cost around $100k. Easily within the reach of any financed attack group.

As we enter the week of RSA, and likely a slew of discoveries that are released this week let’s be pragmatic on their impacts and the defenders role.

They’ve determined that APT28, a politically-motivated Russian hacking group, used unpatched exploits in Flash Player and Windows in a series of assaults against a “specific foreign government organization” on April 13th. Patches for both flaws are either ready or on the way, but the vulnerabilities reinforce beliefs that APT28 is very skilled — less experienced groups would use off-the-shelf code.

via Russians are using undiscovered exploits to hack governments.

See you at RSA!

James @jdeluccia

State of compliance vs. compliant, re: New PCI Compliance Study | PCI Guru

A new study was released by Branden Williams and the Merchants Acquirer Committee (MAC), and it is worth a read. One aspect that jumped to me is the percentage of compliance vs compliant rates shared in the study. The difference here is those who have represented being PCI Compliant through Attestations of Compliance (AOC) vs. those who have had their programs pressure tested by the criminals of the world, and been found wanting.

Here is the snippet from PCI GURU that highlights this state of discrepancy:

The biggest finding of the study and what most people are pointing to is the low compliance percentages across the MAC members’ merchants.  Level 1, 2 and 3 merchants are only compliant around 67% to 69% of the time during their assessments.  However, most troubling is that Level 4 merchants are only 39% compliant.

Depending on the merchant level, these figures are not even close to what Visa last reported back in 2011.  Back then, Visa was stating that 98% of Level 1 merchants were reported as compliant.  Level 2 merchants were reported to be at 91% compliance.  Level 3 merchants were reported at 57% compliance.  As is Visa’s practice, it only reported that Level 4 merchants were at a “moderate” level of compliance.

via New PCI Compliance Study | PCI Guru.

Here is the link to the report from Branden & MAC

Board of Directors, CISO, and legal should all care deeply that PCI (and of course and certainly other contractual agreements) security is achieved honestly. To often organizations view this like registering a car with the government. This is far to complex and impactful to people within and outside a given business. The cyber economic connections between proper, efficient, and effective security all lend to better products in the market and more focus on what the business is driving towards.

Is your program honestly secure and fully addressing these least practice principles?

Best,

James

Bank Hackers Steal Millions ($100M+) via Malware & long campaign – NYTimes.com

A good article was released on the NYT today highlighting an elongated attack into up to 100 banks where methods were learned by attackers, and then exploited. What is interesting here is that the attackers studied the banks own processes and then customized their behaviors accordingly.

It would be difficult to imagine these campaigns to succeed for such a long period as occurred if the malware was detected (which is possible with interval security process studies), and or the bank processes were re-examined by risk officers for activity within the dollar range thresholds. It is typical for data to be slowly “dripped” out of networks to stay below range (hence when signatures are essentially worthless as a preventive/detective tool), and thus similar fraud behavior is needed at the human/software process level.

I look forward to the report to analyze the campaign and share any possible learnings beyond this surface article. Two highlights of the NYT article jump to me, include:

Kaspersky Lab says it has seen evidence of $300 million in theft from clients, and believes the total could be triple that. But that projection is impossible to verify because the thefts were limited to $10 million a transaction, though some banks were hit several times. In many cases the hauls were more modest, presumably to avoid setting off alarms.

The hackers’ success rate was impressive. One Kaspersky client lost $7.3 million through A.T.M. withdrawals alone, the firm says in its report. Another lost $10 million from the exploitation of its accounting system. In some cases, transfers were run through the system operated by the Society for Worldwide Interbank Financial Telecommunication, or Swift, which banks use to transfer funds across borders. It has long been a target for hackers — and long been monitored by intelligence agencies.

via Bank Hackers Steal Millions via Malware – NYTimes.com.

The report is planned for release on Feb 16, and I hope there are substantial facts on the campaign.

Thanks for Kaspersky to continue to lead research and providing solutions.

Best,

James

 

How a leader works across teams – Battlefield Leadership series

La Fiere

At La Fiere Bridge and throughout Normandy on the day of the invasion, soldiers were separated from those that they had trained with for over two years. The leadership ranks and familiarity were lost. Most men were in the wrong place, unsure of their location, without their gear, and were forced to proceed alone. The training of regrouping and proceeding did not serve the Airborne well on that first morning of battle.

What could be described as a case study in disaster is instead one of success. These individuals proactively began to join up with other members of the Allied forces. As the groups grew from two, to four, to ten, and onward, the natural command structure came into force. The individuals became effective in their fields and began to seek out their objectives as a whole.

This was possible due to the training instilled in each other, the respect they had for service they were in, and the ingrained ‘take-the-initiative’ culture of each leader. This was certainly true for the Airborne, but also can be found with the Infantry landing on the beaches.

Business Reflections…

The success here is broken down to two main areas: respect and training. Each individual knew what was demanded of them and what was demanded of the individuals around them. There was an appreciation and respect for the chain of command and authority. This respect was carried from the training to the battle fields. Leaders demonstrated their experience and capability with the troops from the beginning up to the bitter end.

Following the military analogy in business, the battle at La Fiere Bridge conveys a need to have an organization that promotes respectable individuals based on skill and capability. Business success also requires some form of hierarchy that instills direction and command within the units. The hierarchy in some business can be quite flat but even in the flattest organization, there are those who are the ‘go-to’ employees due to experience, budget, and capability to make larger company decisions. This business structure also allows for the smallest of groups to function without the most-senior leadership, so long as there is some senior party involved.

If an organization establishes the first two baseline requirements (skill and capability), it is able to mix individuals and teams together on an as-needed basis. The caveat here is a shared awareness on the ‘command objective,’ or simply ‘the big picture.’

The potential to mix resources has proven highly effective in every branch of the military and is true in business as well. Deploying a team of pure technical individuals is a mistake, and one of only business-minded individuals is similarly at risk of failure. The benefits of diversity within an organization are innumerable. The key here is to instill a level of respect through authority, experience, and competency among diverse crowds.

Takeaways:

  1. Does your organization have a hierarchy that is based on merit?
  2. Is the culture of your business one that respects the established hierarchy?
  3. Is the command objective known?
  4. Is the capability and competency of all levels consistent to allow for the smallest teams to achieve command objectives?
  5. What is the effective size of the teams and what supports are offered to the teams?

What is Battlefield Leadership and what is this series about … 

This is the final paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

Overcoming team, enterprise, and self analysis paralysis – Battlefield Leadership series

The Only Thing Wrong with Nothing Happening is the Fact that Nothing is Happening

A leader must be effective in the following tasks:

  • Invigorating a unit with disparate needs.
  • Managing time. There is always something a leader can do. Always.
  • Self confidence. Leaders must trust their instincts and previous experiences.
  • Innovation. When confronted with a situation different than planned, a leader needs to devise a new plan of attack.

The battle at Utah Beach demonstrates this with Roosevelt’s commands upon landing in the first wave. Roosevelt succeeded by leading the troops and deciding on the next actions quickly according to factors of the time.

Port en Bessin

Business Reflections…

As a leader of self, family, and business one must adopt these principles. The ability to positively effect these three factions is paramount to success. To succeed in life, one must adopt the following capabilities:

  1. Recognition of scenarios.
  2. Energy to execute.
  3. No hesitation, no analysis; paralysis avoidance.
  4. Foresight, having vision on the second step and continuing forward.
  5. Escaping the echo chamber of the mind and protocol.

 

What is Battlefield Leadership and what is this series about … 

As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James