Tag Archives: fisma

When Cryptography is irrelevant, bypassing key card security

A malware executed attack was highlighted by ActivClient that provides technology for secure authentication (smart cards to comply with the GSC-IS 2.1).  The attack is described in detail in a number of sites, such as Security Week here, and I would encourage reading the explanation of the attack by AlienVault here.

What is interesting here and relevant to all security practitioners and sectors is that cryptography at some levels can be made irrelevant.  The immense sophistication of the crytography and hardware manufacturing placed within these keycards and their infrastructure, in this case, are countered simply by capturing the pin that is associated with the key.  That allows an attacker to access the protected resources the card was designed to restrict.  Specifically the attack works because the attacker gets the PIN through a key logger, then binds it to the local computers certificate, and finally attacks remote resources protected by key card whenever the card is connected.

In all, a pretty elegant way of defeating what would be a complex and low-return attack vector (hacking the crytography).

The takeaway is that, as always it seems, the old assumptions that hardware / cryptography / and standard processes are enough is wrong.  A practice of continually evaluating the impact of new attack types (variants) and the new ability of attacker.  Plus, the recent ongoing attack on the underlying security safeguards as a means of attacking an organization has reached a critical level.  In the past 12 months anti-virus source code has been stolen; 2 factor authentication tokens perceived as insecure due to the RSA breach; Certificate Authorities breached and poisoned, and this demonstration of bypassing card security.

The malware yes, could be detected through malware and behavioral IPS type technology on the network and host.  The increased activity / parallel queries of a user could yes be detected.  The vulnerabilities allowing the installation in this particular case could also be patched.  The result though is still an ongoing need to evolve security practices; monitor and respond rapidly to suspect activity, and reduce / limit access as much as possible.

Other thoughts and avenues?

Kind regards,

James DeLuccia IV



Excerpts from s.773 as introduced in the U.S. Senate: Cybersecurity Act of 2009

The following are interesting excerpts from S.773 that were of particular interest.  I strongly suggest reading the full bill and the included comments, as this will be impactful to global information technology security controls in the near future.


(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.

Developing standards based on a “Risk Profile” is massively more universal and feasible to execute than the minutiae that exists broadly.  It is important to note that the Risk Profile for one institution shall be different than another institution based on the infrastructure, management setup, personnel, and third party service providers enjoined in the business/government processes.  This is equally true for businesses, and a point often raised with regards to PCI DSS – that it addresses specific risks for specific data, but is not an appropriate information security framework for all / any / whole businesses.


(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated…as a critical infrastructure information system or network, who is not licensed and certified under the program.

The establishment of a mandatory certification program is important, and valuable.  I would stipulate that a series of certifications shall be presented (likely from an existing training provider, such as SANS) to provide certifications that reflect specific subject areas (network security; application security; governance and compliance; etc…).


(b)(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access

The consolidation of “relevant data” will create a large of amount of information that can be transformed into very actionable intelligence for both public and private institutions.  It is great that (C ) INFORMATION SHARING allows for the private sector to access this data repository.  The amount of trending and innovations that could be developed would be significant.  Conversely it is also highly risky to setup widespread data sharing permissions, large scale transmission of likely sensitive data, and the propensity for organizations to institute data masking and privacy measures to limit their risk but also the value of such data.

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network

This is a section that has received widespread attention, so I shall not comment but it is a concern that should be evaluated by all parties.

As this bill is continually debated and amended it will surely change, but it is critical that security professionals understand the intent of this legislation.  It is this core intent that will prevail in the long term.  The focus of information security and national threats is escalating, as highlighted specifically in the – 2009 Report to Congress on the US-China Economic and Security Review Commission and the ‘Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation‘ (There are many threats across the globe, but these two reports are simply highlighted given their recent release).

Comments / Concerns?

James DeLuccia

IT Strategy and Governance: Avoiding the pitfalls of Perception Bias…

In a recent article for the Payment Card Industry magazineSecure Payments, I introduced the conceptual idea of Information Technology Governance as a bicycle wheel with the organization being made up of the spokes (representing all initiatives – contractual; regulated; competition necessitated), and the rounded wheel depicting the operating strategy of the business fully integrated and inter-dependent.  Check out the article here online (starting on page 24), or join the SPSP and receive complimentary free copies in the mail.  I distinguish the challenges of organization’s focusing on single regulations as a means to orchestrating their security and compliance programs.  The concept of creating a custom control framework is articulated and broken down in IT Compliance and Controls that I published last year with John Wiley and Sons (for those looking for greater discussion and practical advice).
Why is that wrong – to extend upon the articles points:  The information technology operations of the business are unique to every business, as unique as that of the culture of the business.  While the parts that make up the information technology (routers, switches, clouds, software, etc…) the combination and implementation make up the competitive advantage of the business.  So, if following one regulation is not appropriate for all businesses, is it appropriate for those within that particular industry?  Simply answered, no.
The organization, in the instance of PCI DSS, is susceptible to many different risks.  These risks relate to geography, staffing, operational decisions, and external factors to the business.  Each standard is conceived under the premise that under a single environment XYZ are the risks and appropriate mitigating responses.  This premise falls apart when additional concerns, assets, and risks are introduced.
IT Strategy and Governance must constitute a merging of business aptitude with technology capability.  This shall be a topic that we will revisit with greater specifics and tools to achieve this objective.  Thoughts / Concerns?

Kind regards,

James DeLuccia IV

Devolution, Forrester, Synergies, and reducing TOC

Devolution was pitched yesterday by Forrester Researcher Andrew Jaquith – on a Webcast entitled “Effective Data Security: No Forklift Required”. I quite enjoyed the presentation and thought the concepts were timely and consistent with what have been needed in the market. In fact, I spoke on this last year at the RSA Conference 2008 and dedicate a portion of my book IT Compliance and Controls on this concept. However, my focus was on synergies across business controls and operation targets and less upon the DLP type challenges Forrester was addressing. The Forrester Research provided good details into the expected shifts in budget, but not the shift in how IT functions and security safeguard requirements shall evolve in these situations.

There is tremendous value to be gained from current technology deployments, and tremendous waste occurs when organizations do not communicate. While that is not a very insightful statement one should consider – Organizations that require their technology to met 99.9xx% uptime and undergo several audits on privacy / pci / sox / IFRS / FISMA / HIPAA that do not align these underlying technology components are wasting money and time. Specifically, according to my research and field experience these institutions tend to be more INsecure despite the heavy focus on meeting audit deadlines and customer SLA. To save on budget, regardless of the state of economy, find synergies and move forward with better security and less service problems. A key litmus test – does your staff have to respond more then once for an audit – if so, this is a symptom of wasted effort and untapped budget flexibility.

During the Forrester call there were several great questions posed. If you are able to attend future Research calls I would advise posting questions to ensure maximum value.

Thoughts and Comments?

James DeLuccia IV

**Speaking at RSA 2009 on the Payment Card Industry, April 22nd 2009**