Security Blog

Egypt has pulled the plug. This topic has been overtaking our news feeds this past week. It's time we take a look at the good, the bad, and the ugly of this situation.

In fear that social networking will allow protestors the opportunity to further organize their anti-government demonstration, the Egyptian government has ordered all internet services to shut down.

ISP services have disabled all wired communications. As of yesterday morning the final ISP service went down. What is surprisingly scary is how quickly these services can be shut down by an ISP. In a matter of minutes these companies can alter national router hub configurations and blackout the entire country. 

Will there be any light at the end of this dark tunnel? I guess you could assume no internet service, no internet security breaches, but then again, you can't. 

Without internet connectivity tech workers in Egypt are left with nearly nothing to do (except for a game or two of solitaire). Imagine if General Motors halted their automobile manufacturing, no cars, no work. Many companies that outsource to Egypt are also feeling the tension from the outage. Microsoft is threatening to pull out many of its services that they rely on Egypt's tech community to maintain. Egypt is slowly loosing its grip on the technology forefront. Not to mention the political unrest it is causing with many foreign policy leaders.

In making the best out of a bad situation, we may see some good come out of this in the world of technology innovation.

With the mobile phone towers kicking back on, Google has had the opportunity to push its voice services towards a new purpose. Tweet by voice, possible thanks to Google's recent purchase of the SayNow service. In a service which Google has "hacked" together, users are able to leave voicemails on designated international "speek-to-tweet" hotlines. These voicemails will then be posted to twitter with an #egypt tag. Quite the innovation considering it took Google only a few days to implement.

Users are also going to the sky for wireless connectivity. Ad-hoc networks are cropping up all over the country as users attempt any means of staying connected to each other. 

Though the events of the past week have had many devastating effects they are also striking up a surprising amount of innovation and adaptation in the technology world. This abrupt change has made voice communication and mobile networking a top priority. This could potentially push these two concepts to a whole new level never before seen by our generation.

Even an internet outage cannot stop the advancement of technology. Desperate times call for desperate measures.

New Year, New Technology, New Game, New Threats As we all have heard, 2010 was the year of game-changers. With more malicious attacks and new technology then any preceding year. But now that the rules have changed its time to get back in the game.

So far 2011 is outlining huge innovations in technology, tablet PCs will take over our offices, mobility and wireless networking are approaching a new forefront of innovation.

But as we improve our playing strategies so do our enemies. The fight to protect our emerging technology assets is not a game we can afford to lose.

Obama's recent State of the Union address has called for huge investments in information technology innovation. Supercomputing and the advancement of technology were stressed repeatedly within his speech. This spells big things for the IT community.

Get ready for new projects, new technology, and best of all new budgets.

Human resource management will be begging for information technology professionals soon, so be prepared for a job market comeback in IT. The recession is ending and soon the technology movement will be back in full force.

Not only will information technology be the hot topic in industry but also in education. This will open up even more opportunities for IT technicians, security experts, and teachers. Obama has already made the call out to start filling schools and universities with more of these professionals.

So prep your resumes and shine up your certification plaques, the IT revolution is on its way.

In other news IPv4 D-Day is approaching fast. As of February 1, 2011 (maybe even sooner) all IPv4 addresses will be exhausted. Time to start prepping your company for a dual stack implementation. Don't want to lose your competitive edge!

Imagine a war where your enemy is given a prefect replica of each weapon you use. If you shoot a machine gun, they instantly get one. If you use an RPG, they get one. The more you think about it, the more untenable it becomes. That’s what our cyberwarfare looks like. Code is code, good and bad. But take our example one step farther and realize that every evil piece of code resides in the wild and can be aggregated with techniques and practices to develop ever-more sophisticated attacks.

Security is changing. We see it everywhere. It’s becoming INSTITUTIONALIZED. That scares me. Too often we begin to embed practices prematurely. A great example – we’ve institutionalized strong passwords. It will take decades to get rid of them. They’re an oxymoron. If passwords are something an individual knows that we want to use for authentication, strong passwords are a security violation because they’re something the user DOESN’T KNOW! They have to be written down somewhere. They’re tokens. But today’s compliance software tests and makes sure every user has a password they have to write down.

Now we confront STUXNET and the A/V vendors say it’s a new world of Advance Persistent Threats where signatures have little value but we’ve institutionalized them and they eat up our budgets, create a false illusion of security and can’t do anything at all when we send encrypted traffic.

I hope you’ll find time to join us at a Strategy to Reality workshop soon. Five years ago we addressed SCADA training, seven years ago we talked about the failure of strong passwords and last year we covered the covert channels we’ve created by introducing VoIP and leaving it out of the classical security architecture.

It’s a start ….

No matter what level you’re at, you need to stay aware of how technology transitions are creating new exposures. You need to be thinking about all the elements of your enterprise exposed to the net. You need to understand that there are serious scientists working for bad guys.

The great lakes area Annual Collaboration for Entrepreneurship elected Ken Kousky as 'Coach of the Year'.

The 10th annual event featured over 900 guests and 175 companies.  Ken was recognized for his mentoring work with students and emerging businesses throughout Michigan.  The fruits of his efforts were demonstrated by Kenneth Lang, one of Ken's students, who won first place in the Collegiate competition and a $1,000 prize for his elevator pitch.  His presentation was based on a project he had done in Ken's class two years ago and is now developing into a complete business.

Congratulations to Ken on achieving this honor.

Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

I wouldn't loose sleep over this or get worked up about Black Hat demonstrations. Compensating controls that continue to provide security in depth in this case would include network and host  IDS/IPS so that the keystroke log files might be found stored on the host or being transmitted out of the enterprise. In the case of a shared public lab, like the university cited, the common safeguard is to wipe and rebuild each machine on a daily basis.

I'd agree that this is another serious vulnerability that should help heighten our awareness of the potential dangers. 

The biggest danger I see in information assurance today is the belief that only good guys are finding these holes and the belief that sharing them at Black Hat educates the bad guys.

Anybody who has spent more than 10 minutes following the current exploits in the wild understands that the folks behind conflicker or the theft of the

F35 designs are very, very competent. They don't need Black Hat demos to find opportunities. They're finding more and better exploits on their own. 

WE need the demos to help wake up and inform management as to what we're up against and how insanely insecure many systems are today.

The Twitter ddos, F35 design theft, multi-million node botnets, massive penetration of our power grid and 90% of all email as malicious (I consider all fraudulent mail including spam as malicious) should be enough of a wake-up call but it doesn't seem to penetrate.

Regards

Ken Kousky

To many, IA refers to information assurance. I really like this term much better than information security since it speaks to the broader concepts of informational integrity and places emphasis on a far-more committed and positive notion - assurance.

However, to others there is an equally important I and A. This is integrity and availability, two of the three traditional goals of security represented by the famous triad c-i-a. For far too long, information security has focused almost exclusively on the "c", confidentiality. In far too many aspects of our modern digital age, integrity and availability are as important or often more important.

I'll never forget a meeting with a retired hospital CEO who scolded me on the destructive influence and operational damages brought by information security professionals who thought HIPAA was about privacy and confidentiality rather than portability and efficiency.

One of the most important lessons I can share about the triad is that these goals are usually competing and at times mutually exclusive. All too often, it's a zero sum game. That is, to get more confidentiality, we forsake integrity. This is a lesson I often share in our CISSP boot camps. When one looks at the early abstract security models, the Bell-La Padula model suggests that for multi-layered security one cannot write data down from a higher level of security to a lower level, nor can one read from a lower level to a higher level (insert graphic). While Bell-La Padula played a vital role in framing our understanding of multi-level security and how a system might be architected to implement these capabilities, it was limited in focus to only confidentiality. BIBA produced a model several years later that addressed the more likely commercial concerns about data integrity. To maintain multi-level data integrity, the BIBA model states that one cannot write from a lower security level to a higher level nor can one read from a higher level from a lower level ??????

What we see is these rules are mirror opposites. What provides confidentiality of information prevents integrity controls, and what provides the greatest integrity controls compromises confidentiality.

This makes sense in the real world too. When we think about trying to make strategic decisions based on confidential information, we have the challenge of adequately vetting the information. If I can tell the whole world we're invading Iraq based on a variety of intelligent sources, we then must disclose those sources. Intelligence personnel are concerned that disclosing their sources will compromise their sources. They fail to appreciate that they compromise the integrity of the source by protecting its confidentiality. How do we review and judge accuracy and quality of information without disclosing the sources for rigorous review?

So, is it information assurance or integrity and availability that we need to add to our agenda? Actually, I think both go hand-in-hand which, when one thinks about it, might be just what we needed.

Is it more polite to say data "leakage" prevention rather than "loss"? We know that what leaks might be recovered, and since we usually still have a copy, isn't it a bit bold to call it a "loss"? Sure there were terabytes of data on the most expensive weapon ever developed, but the report in the Wall Street Journal made clear that it wasn't ALL of the data, so maybe that's just a leak. And we still have the original data. But, like TMI and TLI, using three letters saves us the debate all together. Let's just go with DLP.

Of course, once you're in the DLP space, you're touching PCI-DSS compliance and that's a nice slippery slope into the whole realm of protecting electronic health and medical records (the difference here is important, but we'll save that for another posting). EHR/EMR are big pieces of the ARRA (that's another acronym we'll be talking a lot about - it's the American Recovery and Restoration Act, and it's almost $800 billion of the current stimulus package). The important opportunity for creative DLP solutions is around the new protections which are mandated as part of the spending package on health care information systems.
RSA had vendor after vendor with last year's solutions wearing new banners proclaiming there was something new to be seen. For the most part, and I mean for 90% of the exhibitors, there wasn't anything new!

My beef about too little imagination might be contrasted with the creativity and inventiveness we see in malware and botnets today. Now that's where you can see real imagination. Maybe TOO MUCH IMAGINATION! TMI again.

Now if the bad guys had a show think of all the new stuff we'd see. Think of the advances the botnets have made. Think of how much creative energies have gone into landing checks from Google and Microsoft for click fraud attacks. Wouldn't one of the keynotes be the team that took terabytes of data on the United States' most expensive weapons program in history? I'm sure none of you missed the Wall Street Journal article that broke just in time to remind all of the RSA crowd that we're not winning this game. (insert link)

The breakout sessions for the bad guys might include:

• Advanced SQL injections (something we showcased in our 2003 Strategy to Reality workshop suggesting that website coding needed to be hardened)
• Buffer overflows for the lazy
• Selling financial data online
• New tools for Herders - what your botnet controllers should include ...
• Marketing strategies for botnets - who wants to rent your million boxes
• ePay - a new underground for selling whatever you happen to find on a remote node
• Exploits below the radar - using 10k bots as spam relays allows everybody to be low and slow and never found

If we lack imagination we're in trouble. 

I just want to get you thinking about what the bad guys could really do, or more likely, are already doing.

For years we've been making a big point about the threat of new emerging technologies that are creating big exposures. Does it take imagination to see these threats? Maybe it takes better communications upstream to management and the entire risk management community.

What are your thoughts? Be imaginative. Don't worry, we won't say it's TMI.

In our Strategy to Reality workshops, we've spent a lot of time discussing the growing commitment to risk management in most of our enterprises. This has to be seen as an extremely valuable process. However, as we rush to be more risk aware, we may be encountering another aspect of TMI (too much information - see the May 4th posting). There are simply too many things that can, and at some point in the future, may well go wrong. It is this uncertainty of outcomes and the potential problems we face that shape our thoughts and planning on risk.
In the context of far greater concerns about risk, our preparedness for a flu pandemic is a vital issue.

For the most part, surveys on the question suggest that there is indeed a substantial

I just learned some new texting shorthand from my daughters - TMI, meaning too much information.

I also began texting myself for the first time while working the floor at RSA.
So, it got me thinking ....

• Too Much Information
• Too Much IP (intellectual property easily stolen over the net)
• Too Much Infrastructure
• Too Much Interconnectivity
• Too Much IP (internet protocol connections)
• Too Much Indifference

Or maybe it's really about what we don't have enough of?

Has anybody ever used TLI? And that got me thinking that it wasn't just for too little information.

Two weeks ago when I returned from RSA I was both disappointed and discouraged. While the economy may have taken a small toll on the attendance and exhibitors, what really stood out was a lack of imagination. Shortly after 9/11, I heard Richard Clarke use that expression, a lack of imagination. We failed to think outside the box and see many of the obvious threats. When the French built the great Maginot Line, the impenetrable border between France and Germany, they lacked the imagination to see that a German military set on invading France would have few, if any, problems simply going around the wall and entering France through Belgium. My corollary is simply "bad guy cheat", but maybe they also have more imagination.
TLI: Too Little Imagination with all of our other TMI's isn't a good thing!

The industry I saw at RSA lacked imagination. It seemed that just as every other vendor in 2007 realized they had to proclaim they were a NAC solution, this year's required dress was a DLP message somewhere in the booth. Data loss is a big problem. Most forms of computer security touch one or many aspects of data loss prevention. So, if word is out that industry needs data loss prevention, then everybody has it. 

So, while we're struggling with too much information, we seem to simultaneously drown out the creative interpretation of all that information that comes from creative and insightful imagination.

I can take the TMI but the TLI is killing us! What do you think? Feel free to share more than 3 letters.

Any student of modern history must understand that when bad things occur, in particular when there are systemic failures, government happens.

While most IT security professionals are familiar with the Gram Leach Bliley Act's requirement that personal financial information be appropriately protected, it's impossible to understand today's economic crisis without realizing the profound impact that GLBA had in deregulating or de-governing the American financial system. Not only did GLBA open the door for the evolution of derivative markets, it allowed banks and financial institutions to create highly flexible but highly de-governed and deregulated enterprises. The traditional regulated mortgage industry was replaced by unregulated and thus de-governed for a deregulated and de-governed financial industry. It was a disastrous failure!

The primary concerns of IT security professionals should be foresight in organizing and preparing for a massive new array of regulatory oversight. Similar to the impact of the Gram Leach Bliley Act, we can expect the information security and information assurance requirements to be embedded in far more comprehensive and complex regulatory legislation.

Of particular concern should be inevitable regulatory responses.

First, we can expect regulation to go beyond broad information assurance statements and become increasingly specific. This is the result of failed generalities. For example, legislation for accelerating the implementation of electronic medical records will increasingly drive more specific safeguards of this information. We can be certain that confidentiality and privacy will be expanded to provide greater concern over information integrity and availability. Availability failures in medical records certainly can create life-threatening scenarios.

Second, the integrity of financial information will continue to be addressed through more and more specific guidance. Sarbanes-Oxley was an early attempt, rushed to legislation following the collapse of Enron. The next round of regulatory controls will be more specific and simultaneously more comprehensive. Finally, there is an emerging trend to validate, accredit or certify the competencies of security professionals. This was highlighted in a recent Wall Street Journal article by Bruce Schneier, dated March 31, 2009, Who Should Be in Charge of Cybersecurity? And specific legislation recently cited in a Washington Post article, dated April 1, 2009, Senate Legislation Would Federalize Cybersecurity, proposes legislation requiring the licensing and certification of cybersecurity professionals. The legislation (Rockefeller-Snowe Measure) co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Senator Olympia J. Snowe (R-Maine), can be found in a U.S. Senate working draft of the Bill dated March 31, 2009.

This proposed legislation specifically states:

"Section 7: LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS

(a) In General. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) Mandatory Licensing.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

At IP3 our specific strategy will be to continue to organize and assemble the appropriate training and technical knowledge necessary to stay in front of these trends. We'll continue to focus on certification prep programs and stay abreast of the ongoing trends in certification requirements. My prior work with the Institute for Defense Analysis included the advisory team that produced the guidance which led to DoD Directive 8570 mandating a broad array of specific certifications for military security professionals. We will try to stay closely involved in similar trends and continue to provide you, our clients, the most comprehensive overview and insight into these trends possible.

Get smart, and stay smart.

KWK

The chaos resulting from the economic disaster in our financial system and the ensuing rush to spend money to stimulate economic growth has left information assurance and IT security side-lined. 

Most organizations are trying to understand the new business conditions before they allocate budgets for IT. At the same time, an increased focus on risk management, is tying up critical management resources. Much of the current work will prove to be tedious bureaucratic processes with little true economic impact. There is simply too much focus on "grand unifying methodologies".

In the midst of these conflicting initiatives, there are several clear key critical points on which new strategies must be built. 

First, the economic collapse was rooted in information assurance. The failure to have transparency in derivative contracts was an information integrity failure. Alan Greenspan and both political parties along with our major regulatories all put phenomenal faith in counter-party surveillance. The idea was that the financial system could not load up with lousy or fraudulent transactions because there is always a counter party to every sale. Somebody is putting money at risk, and they're the most obvious party to regulate the risks they accept. The buyer and seller had strong vested interests in making sure that their contracts were secured. What lender would want to expose their money to investments that were likely to fail? 

However, they did make these investments and they did lose billions of dollars. The failures were systemic. That is, the overall processes and governance failed us. Systemic failures always require systemic solutions, and it is inevitable that a new array of government regulations and oversight will be applied to the financial industry. To this, we can add the auto industry with billions of unfunded pension liabilities and the accountants who missed all of this. So, our first guiding principle is that every organization should be preparing itself for a vast new array of regulations that will have profound impact on the enterprise. This means substantially more information processing for everything from car loans and mortgages to operational accounting and reporting. 

Mark-to-market as an accounting principle suggests that financial assets be adjusted to reflect their current market value. This can only be done through a massive amount of readily available economic information. What we should think about is Sarbanes-Oxley on steroids. We should also realize that with all this new regulation there will be more vital and strategic information to be protected, so we might think of it as Sarbanes-Oxley² plus a healthy dose of PCI and HIPAA, more data with more data loss protection. 

The winners will be companies that design, develop and deploy appropriate information processing systems with adequate security and risk analysis so that they can be both more secure and more compliant. That's a big upside opportunity for information security.
It's funny that over the last year in our surveys of executives from our flagship seminar series, Strategy to Reality, regulatory compliance was consistently listed as one of the serious risks confronting an enterprise. While compliance is meant to provide assurance that we are mitigating risks, it has become a threat in itself. Healthy organizations must begin now to harmonize their compliance processes with actual threat mitigation. This is the second principle we'll talk about in another posting. 

Third, an economic stimulus for the enterprise will likely include investment incentives. The Obama administration has already outlined that improved information technology in healthcare will be one of the targeted infrastructures. We're seeing a more generalized theme emerging where the stimulus package for infrastructure is not our old conservation corps building parks and planting trees but, more likely, a modern cyber structure providing greater information technology resources to schools, hospitals and governments. While there certainly is far more we'll be discussing in these areas, the key point is that the last thing a troubled economy needs is more risk and uncertainty. Winners and losers are always pronounced during periods of economic volatility, and we can be certain that this period will be no exception. 

We believe information assurance and IT security will be vital industries in the new economic order!

Tell us what you think.

The possibility, even when remote, that a small band of fanatical terrorists could gain possession of the materials necessary to assemble and detonate a nuclear bomb in the United States is one of the most horrifying dimensions of risk in the 21^st century. It serves to define asymmetric warfare. A war where an extremely small number of committed individuals are able to harness unbelievable power in their attacks on the most developed and prosperous nation in the world.

A related aspect of asymmetric warfare is the inability to identify and target the assailants through classical means.

A closely related concept of weapons of mass destruction (WMDs) are the tools of mass disruption. The use of such tools are often referred to as cyber warfare, and their threats have many parallels to our concerns over traditional weapons of mass destruction.

1. Weapons of mass disruption can be harnessed by an extremely small group of committed individuals.
2. Their potential for collateral damage is significant.
3. Like a nuclear blast, their destruction is indiscriminate.
4. Properly identifying the source and counter-attacking with traditional conventional programs may be impossible.

Over the last year, we have seen numerous events that clearly raise the probability of a loss to weapons of mass disruption (WMDr). There's good reason for us to raise our concerns over an expected loss to WMDr.

In Estonia and this year in Georgia, we have witnessed expanded use of disruptive attacks. DDos attacks on critical infrastructure are quite potent. We have seen successful attacks on the Commerce Department's office responsible for tracking and protecting our intellectual property globally. Targeted attacks on Spam House, DNS servers and commercial sites all add to our heightened threat level for WMDr.

Given the knowledge that the probability of an incident is increasing, we should also note that there is growing evidence that the potential impact of such attacks is also expanding. Two areas of particular concern are VoIP phone systems and our DNS directories suggest that far more vital infrastructure can be easily knocked out. A parallel concern to the potential damage that can be wreaked is based on the growing capacity of botnets. When over a million nodes can be leveraged as attack vehicles, the potential impact becomes chilling.

If we take to heart the vast array of vulnerabilities we are patching on a daily basis, it's clear that virtually all devices we are connecting to the internet can potentially be compromised and harnessed as attack nodes. This would include gaming or video recording devices built on Linux kernels. If the kernel has known exposures, and it's possible to touch these devices through the net, couldn't they be compromised? What happens when a million video recorders turn on us?

The first step in any appropriate strategy to defend against WMDr is to increase our awareness, and include this threat in our risk analysis. This would include paying as much attention to WMDr as we do to WMDs. Literature on risk analysis demonstrates clearly that high impact but low probability events are often very difficult to measure as compared to real relative events with high probability but much lower impact. WMDr are far more likely to impact most enterprises, but the perceived impact is very limited. We may need to pay special attention to adequate defenses to make sure that this is the case.

More to follow . . . .

Winning the war, no this isn't about Iraq or al-Qaeda, but it is about a massive asymmetric war raging on the Internet. Botnets now are able to claim millions of nodes to harness for malicious use, and the question we have to continually ask is how are we doing?

Today's headlines read that 11 perpetrators allegedly involved in hacking 9 major U.S. retailers were indicted. They're allegedly involved in the channeling of over 40 million credit cards and debit cards. We took down 11 bad guys, and the press suggests that we've made a major dent.

However, the Commerce Department has previously said that they believe that online fraud and crime today is larger than the illicit drug industry in the United States. The illicit drug industry has produced over 500,000 prison inmates. The war on illicit drugs costs billions of dollars and involves international aid to foreign governments to assist them in drug eradication, and it engages virtually all aspects of our legal system from local police to large dedicated federal teams. One significant argument for the imbalance of resources is that drug-related crimes are much more likely to involve threats to life and physical safety. However, as we explore the digitization of our modern life, it's hard to believe that cyber attacks won't impact life as medical systems, SCADA controls and other critical resources become exposed to cyber exploits.

Three questions we need to ask:

1) How serious are these threats?

2) How are we doing in mitigating these threats?

3) What can we learn from our risk analysis to better defend employment of new medical systems, VoIP implementations, and the ongoing connection of defenseless consumer products linked to the Internet?

I've frequently posed the question what happens when our VCR's, refrigerators and cars are all IP devices and one day turn on us? Our job is to make sure that day never comes, but some days I wake up thinking we're losing the war.

"What do you think?"

This is an active forum, and we'd love to hear your feedback.