Tag Archives: risk management

Copying access control cards is easier w/ $10 device being released at BlackHat 2015

Proximity access cards are no more secure than a standard key .. and easily replicated with a $10 (to be released) tool. This was shared on ZDNet and with Motherboard. I have highlighted 2 key sections below for those interested in greater detail definitely check out the article. If you are lucky enough to see the presentation live at BlackHat, that will surely be better.

While RFID technology can help secure enterprise offices in this way, the ease in which these access controls can be hacked has hit the spotlight in the form of a tiny device which costs only $10 to make.

Researchers Mark Baseggio from security firm Accuvant and Eric Evenchick from Faraday Future are the developers of the Bluetooth Low Energy device (BLEKey), a coin-sized device which skims RFID cards, allowing users to clone items such as access cards.The team says the release of the tool is “valuable for understanding the risks associated with insecure access controls and what steps companies can take to lower the risk of access control attacks.” – ZDNet Article

I would raise the point that these attacks can now be down so easily that can the “control” of access control physically be fully trusted from a third party assurance perspective, an industry perspective such as PCI, or risk management? One could argue that cameras support this protection, but those are only employed after damage has been discovered and insufficient for all of the stakeholders involved.

“We wanted to create a device that would concretely and absolutely show and hopefully put the final nail in the coffin that is HID prox and Wiegand. These devices are no more secure than a standard key.” – Motherboard, Baseggio

The difference though with a ‘standard key’ is that takes some crafty spy work to make a copy without the owner being aware. To copy a HID card would take only seconds – at a gym, lanyards left at a desk, etc …

Glad the research cycle is exposing these risks and looking forward to creative approaches to counter it.

James

p.s. My new book – How not to be hacked is available and is PERFECT for your family and friends who keep getting smashed by online criminals, malware, and account hijacks!

Amateurs Study Strategy; Experts Study Logistics – Battlefield Leadership series

Angoville ChurchIn the business world, the military analogy “Amateurs strategy; experts study logistics” emphasizes the importance beyond the initial success of a surge effort. Specifically, in relation to D-Day, the analogy shows the importance of establishing a port to provide fuel, reinforcements, ammunition, food, and supplies to the troops. The initial Normandy invasion of 135,000 troops required a daily landing of 15,000 tons of supplies a day and as the presence increased so did the supplies. Thus, the Allies were forced to secure a port.

The Allies chose to build two ports and bring them to the coast of Normandy. This allowed them the opportunity to establish a port at an area that was not heavily fortified (the Germans defended port locations closely). This out of the box thinking allowed the Allies to achieve the objective and support the ongoing mission on land.

Business Reflections…

The importance of innovation and ability to think beyond the traditional structures is sometimes the only pathway to success. Think about Uber, Amazon, and other disruptive methods of transacting business. Each approached the same objective (black cars, books for reading), but achieved the ‘big picture’ in a manner not conceived viable by the incumbents.

The key elements to achieve innovation from lessons at Arromanches:

  1. Focus on the objective and not the details on ‘how.’ This allows for iterations on methods while maintaining the continued support structure.
  2. Establish a team with a leader to drive the innovation. The team should be organized differently than the primary organization. This was done in Britain and allowed the the Skunkworks group to succeed. The Skunkworks failed the first time and were reorganized in a new team to finally reach success.
  3. Plan redundancy. Two Allied piers were built. One of the piers was destroyed by weather (an identified risk), but luckily there was still one standing and supported the logistics for many months.
  4. Demonstrate success capability through detailed analysis. To allay counter arguments, it is necessary to present a clear and evidence-supported case proving how the solution will be successful.

The Supply Chain

Here are a few generally obvious but necessary statements on the make-up of supply chain. The service of the business and the delivery of product depends upon the inputs. These inputs are as important as the final work product. Failure to receive any input or damage of an input will lead to failure in the market. Each input must meet the integrity, quality, and security standards of the product it seeks to become.

Suppliers need to posses integrity to ensure the inputs are not damaged, sabotaged, or fraudulent. The reliability and availability of the inputs need to be vetted with redundant providers and consideration of every part of the delivery channel is key. For instance, regarding a Cloud service provider hosting data: what are the ISPs, routers, equipment, regional laws, etc. that effect this delivery of such a service?

A business must be able to achieve entry into a market category and sustain it! It is not enough to put a toe in the water, but rather sustain the patience and capability to grow in the market. Success is achieved through building scales into the business architecture and forming teams that are innovative and strong enough to become the senior management and leads.


What is Battlefield Leadership and what is this series about … 

This is the fifth paper in this series. As part of my pursuit to learn and grow, I sought out the excellent management training team at Battlefield Leadership. I am professionally leveraging this across multi-million dollar projects I am overseeing (currently I am the lead executive building global compliance and security programs specifically in the online services / cloud leader space). Personally I am bringing these lessons to bear within my pursuits to cross the chasm. To often I see brilliant technical individuals fail to communicate to very smart business leaders and to the common person on the street. My new book – How Not to be hacked seeks to be a first step in bringing deep information security practices beyond the technologist.

Most exciting the Battlefield group for this training placed it in Normandy France. This allowed for senior executives to be trained in a setting where serious decisions were placed by both sides, and each provided a lesson. This series represents my notes (that I could take down) and takeaways. I share to continue the conversation with those great individuals I met, and with the larger community.

Kind regards,

James

 

How to determine how much money to spend on security…

A question that many organizations struggle with is how much is the appropriate money to spend annually per user, per year on information security. While balancing security, privacy, usability, profitability, compliance, and sustainability is an art organization's have a new data point to consider.

Balancing – information security and compliance operations

The ideal approach that businesses take must always be based on internal and external factors that are weighted against the risks to their assets (assets in this case is generally inclusive of customers, staff, technology, data, and physical-environmental). An annual review identifying and quantifying the importance of these assets is a key regular exercise with product leadership, and then an analysis of the factors that influence those assets can be completed.

Internal and external factors include a number of possibilities, but key ones that rise to importance for business typically include:

  1. Contractual committments to customers, partners, vendors, and operating region governments (regulation)
  2. Market demands (activities necessary to match the market expectations to be competitive)

At the aggregate and distributed based upon the quantitative analysis above, safeguards and practices may be deployed, adjusted, and removed. Understanding the economic impact of the assets and the tributary assets/business functions that enable the business to deliver services & product to market allows for a deeper analysis. I find the rate of these adjustments depend on the business industry, product cycle, and influenced by operating events. At the most relaxed cadence, these would happen over a three year cycle with annual minor analysis conducted across the business.

Mature organization's would continue a cycle of improvement (note – improvement does not mean more $$ or more security / regulation, but is improvement based on the internal and external factors and I certainly see it ebbing and flowing)

Court settlement that impacts the analysis and balance for information security & compliance:

Organization's historically had to rely on surveys and reading of the tea leaf financial reports where costs of data breaches and FTC penalties were detailed. These collections of figures showed the cost of a data breach anywhere between $90-$190 per user. Depending on the need, other organizations would baseline costing figures against peers (i.e., do we all have the same # of security on staff; how much of a % of revenue is spent, etc…).

As a result of a recent court case, I envision the below figures to be joined in the above analysis. It is important to consider a few factors here:

  1. The data was considered sensitive (which could be easily argued across general Personally Identifiable Information or PII)
  2. There was a commitment to secure the data by the provider (a common statement in many businesses today)
  3. The customers paid a fee to be with service provider (premiums, annual credit card fees, etc.. all seem very similar to this case)
  4. Those that had damages and those that did not were included within the settlement

The details of the court case:

The parties' dispute dates back to December 2010, when Curry and Moore sued AvMed in the wake of the 2009 theft of two unencrypted laptops containing the names, health information and Social Security numbers of as many as 1.2 million AvMed members.

The plaintiffs alleged the company's failure to implement and follow “basic security procedures” led to plaintiffs' sensitive information falling “in the hands of thieves.” – Law360

A settlement at the end of 2013, a new fresh input:

“Class members who bought health insurance from AvMed can make claims from the settlement fund for $10 for each year they bought insurance, up to a $30 cap, according to the motion. Those who suffered identify theft will be able to make claims to recover their losses.”

For businesses conducting their regular analysis this settlement is important as the math applied here:

$10 x (# of years a client) x client = damages .. PLUS all of the upgrades required and the actual damages impacting the customers.

Finally

Businesses should update their financial analysis with the figures and situational factors of this court case. This will in some cases reduce budgets, but others where service providers have similar models/data the need for better security will be needed.

As always, the key is regular analysis against the internal & external factors to be nimble and adaptive to the ever changing environment. While balancing these external factors, extra vigilance needs to ensure the internal asset needs are being satisfied and remain correct (as businesses shift to cloud service providers and through partnering, the asset assumption changes .. frequently .. and without any TPS memo).

Best,

James

 

Android fragmented device market = high risk mobile platform

The market of mobile devices is experiencing faster growth than the PC, and with that growth comes user adoption, the need to enable systems to interoperate, and of course keep the data flowing. The challenge on mobile devices crosses many spectrums, but one area to highlight deals with the variety of “branches” of the Android operating system and device platforms.

A nice visual was put together over at OpenSignalMaps that shows the variant of devices running the Android OS based on their application collected data. This is by no means a complete list, but it effectively defines the problem space. There are a lot of platforms that can run Android, have apps installed, and each can be utilized by the consumer. This trend will only radically increase as more and more devices are enabled through Android licenses (TVs, cars, toasters, space ships, etc…).  The latest iterations from Amazon are a great demonstration of custom hardware, blended operating system components, and user linked service providers to application and device.

A quick bit of details on their findings – total distinct devices 3,997!  Though 1,363 were only seen once – may result of data source and one-hit wonders.  Still that is a very large population.  The device model breakdown is the top graphic .. the authors provided a number of different slices of the data, and it is worth reviewing.

As for an information security and compliance perspective, below are two key areas – software updates & chipsets:

  • Software updates … not timely, consistent, or completely absent depending on the platform.  This relates to the Apps compatibility with the platform and OS.  The operating system itself as highlighted on Google’s own dashboard shows a broader active OS base across legacy operating systems than Apple.  The lack of software updates – being applied; existing, and being compatible must be mitigated.  The problem must be framed here properly – Updates in the “new” mobile world are not always to patch security vulnerabilities.  Some, many, make feature updates that are user focused / backend improvements, etc…  Therefore some updates (read; SOME) are not necessary but are nice to haves.  The business needs to integrate these considerations within the broader IT framework management structure to ensure that risks are mitigated that exist.  Sometimes updating to the latest version (to get rid of that nasty little red number) is not the right course of action.
  • Hardware chipsets… not to be trusted.  The hardware that makes up these tablets is based on a global supply chain.  As organizations move beyond single vendor sourcing (ahh, the good ol’ days of Blackberry – yes I said it), to multi vendor / platform, awareness of the hardware becomes important.  Hardware is specifically a risk to be addressed when the focus is on High Value Assets and Persons.  Meaning those who have access to that type of data or are likely targets of attacks.  It it those persons you would manage the device platform selection upon.  The number of poisoned chipsets coming out of China and other areas is increasing.  An appropriate level of consideration is important.  Beyond poisoned chipsets (i.e., malware / trojans built in), some chipsets have flawed designs that are identified by researchers (and published such as at DefCon), and always utilized by attackers in the wild.

There are other areas of consideration, but the two above draw on the 80/20 rule… would love other thoughts here!

Google also has a developer dashboard that highlights information about the deployed operating system distribution and adoption (as recorded based on connection to Google’s Play) that is worth visiting.

To sum it up …Having worked with clients to understand, frame, and execute plans that embrace mobile technology across their business requires an understanding of what is the opportunity space. Each enterprise is a bit different as a result of industry, age of company, and of course their business objectives. The challenge of a fragmented (Android) market space is that it creates risks that need to be viewed across a spectrum within the organization. The fragmentation is not obvious (not 1,000+ iterations!) and so the field of risk is not within line of site.  Organizations tend to go through phases when adopting mobile technology (consumerization) – block; deny; resist; deny without blocking; and finally yield…  Given the fragmentation mature businesses move beyond simple prohibition, but instead initiate a process to put in place information security safeguards to mitigate the risk to an effective level.

The authors of the original study made a good point at the end – the blessing and curse of Android is the fragmentation and not knowing where the application will run and on what hardware (country, etc…).  Finding an operational balance is the key.

Thoughts?

James DeLuccia

What does the SCADA water pump attack mean to your business…

The ability to attack, compromise, and cause damage has existed since the utility industry began connecting these systems on the Internet.  Examples, including the European nation that was attacked 24+ months ago, are easy to locate.  Yesterday an attack (more proof of concept than anything it could have really been) occurred.  The current public awareness of cyber attacks, the nation state theater risks, and transparency of this action has raised the resulting awareness beyond the closed professional circles within Information Security.    There is a number of interesting writeups and I would suggest carefully reading a few for a balanced perspective.  Two that I would recommend include:

What this means for your Utility company is that the abstract threat modeling exercise that considers these attack vectors should be conducted more thoroughly with real risk and mitigation decisions progressing up to the Board of Directors.

As for everyone else who is a customer of such utility companies, the BCP/DR plans should be updated to reflect the possibility of such a loss of services.  Business enterprise information security / risk management programs (+vendor management) should elevate utility service providers (including cellular operators).  These actions should directly impact the annual/ongoing risk assessments and establish an expectation of security assessment and assurance on a regular basis from these service providers.

It is an interesting quandry that Cloud service providers are vetted and assessed more rigorously than that of Utility service providers, the original cloud.

Thoughts .. challenges?

James DeLuccia iV

Other thoughts?

James