02.02.2010

Today I read a blog entry which both amused and troubled me.  The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist.  In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike.   Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land…..  Let’s take a look at what he asserts.

First and foremost, he asserts that they are similar.   I find that humorous at best and borderline irresponsible at worst.  PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against.   It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences.  It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.

Anton asserts the following (whether in jest or in all seriousness is debatable):

  1. Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
  1. Both are not threats.  The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
  1. I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
  1. In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard.   I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated.  Fair enough, it’s your environment, do as thou wilt.   However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses.  The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering.   In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
  1. “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
  1. With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
  1. Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
  1. PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
  1. People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.

I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:

  1. To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
  2. To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
  3. To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security ;)

Tags: , Filed Under Advanced Persistent Threats (APT), Cyber Defense, Cyber Warfare, PCI-DSS, Subversive Multi-Vector Threats (SMTs), critical infrastructure | 4 Comments 

12.29.2009

Monopoly ManOn December 23, 2009, the United States Department of Justice concerning Stephen Watt released a statement.   Stephen Watt is likely a name not rolling off the tongues in households across America however, his participation in what has been called to date the “largest identity theft in our nation’s history”, is likely quite familiar.  You see, Watt, Stephen as I like to call him or soon-to-be federal prisoner Stephen Watt was an integral member of the team assembled by Albert Gonzalez (you remember Alberto right?), for the express purpose of stealing as many credit and debit card numbers as possible without being detected or ultimately prosecuted.    The case in question is the now infamous TJX data breach.   However, though not new news, the sentencing and pathology is something, which few, if any, are addressing.

swattIn the statement released by the U.S. DOJ, Watt was sentence on December 22, 2009, for his role in the TJX breach, specifically for the creation of a sniffing (siphoning), application used to monitor and capture data including customer credit card and debit card information as it traversed across corporate computer networks.  Watt, who pled guilty to conspiracy charges on October 28, 2008, was sentenced to two years’ imprisonment, to be followed immediately by three years of supervised release a condition of which was electronic monitoring of any computer use.   Additionally, he was ordered to pay restitution for $171.5 million dollars US.   For five years Watt unlawfully gained electronic access to corporate computer networks and in doing so downloaded customer’s credit and debit card information which he later used trafficked, sold and used for personal fraudulent gain.    The United States Secret Service along with third party digital forensics firms investigated the case.  Assistant U.S. Attorney Stephen Heymann, who is active Chief of the Computer Crime Unit of the Secret Service which spear headed this case, prosecuted it.

Watts’ attorney attempted to establish a scenario that suggests that he simply lacked sound judgment and was led to participate by his own intellectual curiosity and the bonds of friendship he had forged with Albert Gonzalez while the two were teenagers.   I find this to be weak at best.   Would I expect a defense attorney to suggest otherwise in a case such as this?  No, I think that in a case such as this one if I were a defense attorney I would be looking for any plausible egress point possible in the hopes that one would lead to light.  However, I would expect that those parties hearing and prosecuting the case would not fall prey to such delusional lines of thinking (I have no reason to believe nor am I insinuating that either Mr. Heymann or the Honorable Judge Nancy Getner did fall prey to such vapid arguments but rather arrived at a satisfactory judgment based on the facts and goals they were presented with and working toward).

The facts are clear: Stephen Watt willingly created ‘blaba’ for the express purpose of monitoring, collecting and siphoning credit and debit card information belonging to others.  That this data resided on the TJX network and systems was but a technicality as Watt and his co-conspirators were, after all, engaged for the criminal profit.  According to his defense, Watts’ had no idea his creation would be used for illegal activity (this is insulting to all who read it and to logic itself given the design intent, nature and use of the code).   This clearly suggests that he is either a liar or lunatic given the amounts of evidence collected related to conversations and other salient details of the operation that he and Gonzalez led.

Albert_Gonzalez_HackerWhat I find interesting is the potential use of similar arguments of defense in cases such as Watts’ and others where the ability to distinguish right from wrong seems to be suspect.   Let’s look a little more closely at Watts’ background.  A highly intelligent software engineer with an impressive resume including, among others Morgan Stanley and Imagine Software (trading software manufacturer), Watt graduated high school at age 16 in Florida with a 4.37 grade point average.   In 2004, he moved to New York to work for Morgan Stanley, and began frequenting nightclubs and experimenting with drugs.  In 2007, he took a role with Imagine Software where he was working up to the time of his arrest.  He cited his intellectual curiosity and as mentioned earlier, friendship with Gonzalez as being deciding factors in his participation however I believe (and so too did the prosecutors and judge involved), that the deciding factor was profit.   Profit via criminal activity that did not seem to bother Watt or his accomplices in the slightest.   Conventional thought suggests that they believed that the “banks” were insured by the FDIC and that the monies and profits acquired were reimbursable (never mind the damage they did to the reputations and credit ratings of countless thousands and overt brand damage they brought to the doorstep of TJX).  Though Watt was not the mastermind of the breach, that honor belongs to Alberto Gonzalez who is currently awaiting sentencing in Boston, for up to seventeen years in federal prison.    The two housed Watt’s code on a leased server located in Latvia and with it, over 16.3 million stolen credit card numbers while another 27.5 million stolen card numbers were located on a server in the Ukraine.

gary_mckinnonI worry that more will, upon being identified and caught, feign or claim ignorance or worse yet, the inability to determine right from wrong as a plausible defense making illegal activity of this sort, and its prosecution akin to violent crime prosecution and the insanity plea.   I feel there is danger in this and in other defenses, being introduced into courts of law that suggest that a person guilty of committing (knowingly committing), a criminal act was unable to determine the legality of their actions due to some pre-existing circumstance or condition.  Take the case of Gary McKinnon of the United Kingdom for example.  McKinnon was found guilty of penetrating and disrupting computer systems and networks belonging to NASA and the United States Department of Defense.   McKinnon, who claims to have been on a quest for truth regarding UFOs, penetrated over 90 classified systems and networks in 2001 and 2002.  He faces extradition to the United States, which was granted by the courts of the United Kingdom however is currently fighting extradition to the United States based on his claims of suffering from Aspergers Syndrome (is a type of pervasive development disorder (PDD). PDDs are a group of conditions that involve delays in the development of many basic skills, most notably the ability to socialize with others, to communicate, and to use imagination), and based on the information gathered on it does not suggest a failure or inability to recognize wrong from right.  In fact, there are many highly regarded, influential historical figures from all occupations that have been diagnosed with Aspergers.

Personally, I feel that defenses such as that posed by Watts’ attorney and by McKinnon are both scandalous and shameful.   They insult and mock those who do suffer from diagnosable developmental disorders while, at the same time, attempt to insult the intelligence of the masses.    In order to prevent them from becoming the defense de jour, it is my hope that the courts begin laying down much more restrictive, severe sentencing for criminal acts such as these.   Failure to do so in many respects encourages the risk – reward calculation used by criminals in order to justify their activities.

Tags: , , , , Filed Under Crime and Punishment, Cyber Crime, Cyber Fraud, PCI-DSS, risk management | 4 Comments 

11.06.2009

Domo Devil Peaking at youThe Payment Card Industry Data Security Standard (PCI DSS) is not the devil incarnate but comes under scrutiny (for good reason – a great deal of which has less to do with the standard itself and more to do with the organizations wrestling with it along with the credit card corporations themselves), likely as often as the devil himself.  Before PCI was PCI, before there was this digital equivalent to “reefer madness”, where fear, uncertainty and doubt solely relegated to the world of the payment card and their affiliated merchants and provider – banking environments seemed to permeate every fiber of the tapestry of the Information Technology and Information Security worlds, all the bigs – Visa, MasterCard, American Express, Discover Card (aka Discover Financial Services), Diners Club and JCB International, all had their own ‘ways’ of assessing the security posture of their vendor / provider networks.   Some were more inclusive and detailed than others.  That is a fact.

domo giving someone a piece of his mind!It was ugly, it was cumbersome, it was ineffective and it warranted change as the credit card corporations and their affiliated banking partners were experiencing fraud and exploitation in a variety of ways from a variety of sources, which ultimately led to a convergence occurring within that world.  A convergence which would have impact upon us all for years to come…like chocolate and peanut butter only not as good.  Initially this did not seem like a bad thing.   In fact, I happen to believe it was necessary in small scale to aid in jump starting awareness.  I am proud to be personally acquainted with the primary architect of the original draft of the first PCI standard and know where his mindset was when he drafted it.   I know his intentions were pure with respect to this standard.  Furthermore, I also know that he did and does not believe the PCI DSS to be a legitimate replacement for sound risk management practice but rather a starting point for many organizations, which had no bearing point.  Fair enough.  I think we can all accept that, at least those of us who are intellectually honest.  What happened?  Why all the hub-bub?  How did something which started out with solid intentions turn into this new and creative form of audit water torture which often yields little in the way of sound risk posture aside from gaining PCI accreditation…for what that is worth…I’m guessing the folks at Hannaford Supermarkets,  Heartland Payments and Choicepoint (parts I & II) know what I’m talking about.

The PCI Standards are easily had these days as are lists of authorized assessors however, just because they are easily had (both the ‘standard’ and the assessors) does not mean they are effective.   In many respects, PCI reminds me of the early days of HIPAA, the difference being that with PCI people actually being penalized for failing to comply.  Sort of a novel idea really however I believe that that regulatory and auditing criteria (standards) – important as they are, in and of themselves do not meet the needs of enterprises small and large; private or public in our world today.   What can meet these needs? (cue drum roll): Well designed business centric risk management security programs and frameworks.   Are they trivial?  No.  No, they are not.  However, neither is PCI, or HIPAA for that matter and whereas both PCI and HIPAA fall into the Sisyphean category in my view of the world, Risk Management does not, additionally, if undertaken risk management initiatives will provide an enterprise with a wealth of information which PCI never would (sorry guys), not on its best day.  So the question (or one of them anyway), becomes: Why continue to divert time, effort, resources (personnel and budget), into something so one dimensional when a properly designed risk management based security program can address these and every other regulatory and compliance concern you’re presented with.   The bit gods must be crazy…let’s read on.

domo-dancingI believe that the only way to rescue the hearts and minds (and ledger books!) of those responsible for budgets within industry is through demonstration of the intrinsic value of risk management (e.g. enterprise risk management, fiduciary risk management and information security risk management working in concert).  This demonstration must be ubiquitous and comprehensive in scope to the enterprise in question touching all areas of the business: customers, business partners, P&L, revenue streams, brand preservation etc.  This is something that I feel passionately about as do others within our industry.  The fact is that as times and circumstances change (for better or worse), so too will budgets (for better or worse), and if initiatives such as PCI are not reconsidered (given the current volume of spend being seen as a direct result of meeting or achieving compliance with the standard) — in both scope and value, we may very well run the risk of encouraging and incurring new and previously unforeseen risk via new threat vectors previously not considered nor addressable due to a lack of budget (capital or operational), for investment in innovative technologies, processes and people.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, PCI-DSS, Risk, Security Philosophy, compliance, risk management | 2 Comments 

11.06.2009

Few things in this life, let alone this industry, vex me as greatly as do the following:

  1. Intellectual dishonesty in any form
  2. Moral corruption and / or unethical behavior
  3. The blind leading the masses
  4. Arrogance in the absence of merit
  5. Paper Dragons

This post is a bit different from those that have previously made their way onto Cassandra Security (perhaps because I’ve been tied up doing other things lately) however, it does thematically speaking, tie into our philosophy as well as much of what I have written in respect to cyber codes of ethics, leadership, values and responsibility.  I recognize that for some, this post will be upsetting and to a degree irritating.  To that all I can say is – I am simply unapologetic in my desire to serve and seek the truth.  Perhaps it is time for those who feel, think and believe that what we do in life echos on in the shadows of eternity to truly begin applying that belief to their daily actions and consider the implications of not doing so.   We are measured every day in ways in which we often times are not cognizant of.   All of us are and to that end, all of us have a responsibility as professionals, to provide guidance and wisdom when we can and at a minimum strive to ensure that the defenseless are defended when no one else is willing to do so.  It is a responsibility and honor for those who dare.  Now on to the post!

intellectual dishonestyI believe there is much intellectual dishonesty at work within our industry.  I believe that this intellectual dishonesty is cutting off the vitality we so desperately need in so many areas.  I believe that it is gumming up the works ultimately making us less and less efficient as professionals and practitioners of our trade.  I believe that that an artificial level of complexity has been introduced (and continues to be reinforced due to motive and profitability), forcing debate over ideas and concepts which cause us to lose focus and sight of the big picture.   When I consider these debates, the PCI DSS 1.1 & 1.2 respectively come to mind as do HIPAA regulatory legislation, and generic banter about ‘optimization’ spring to mind.  Optimization conversations are especially painful in that they are almost always predicated – not on best practices or what is considered to be a standard of good practice within the industry (for the benefit of the users and businesses), but on the integration (yep I said it, integration), of a given vendors suite of products and management tools.  Over the years I’ve sat through many conversations on various sides of the table where one would’ve sworn that the platform in question possessed messianic properties.   This is simply speaking, transparent and intellectually dishonest and something I have growing disdain and intolerance for.  Over the course of my career, I have worked in a number of different capacities within our industry: within the DoD, Consultancies, the Vendor community and back to the Consultancy & Start up communities.  Intellectual dishonesty does not exist in my dojo; does it exist in yours?

Moral corruption and unethical behavior.   I will simply say this: anyone can be a character but not everyone has character.  A man who lacks honor in the small things will demonstrate gaps the size of canyons in large things with respect to moral character and ethics.   I believe that character counts and that to be morally corrupt or unethical is to be dishonorable; there is no room for dishonorable behavior in my dojo; is there room in yours?

blind_leading_the_blindWith respect to the blind leading the masses…this is a touchy one for me as it is something I and my closest peers within the Cassandra family and industry have witnessed and observed over time.   The blind leading the masses as though they know or possess some esoteric knowledge the masses do not.   There is an old saying that one of my Uncles is fond of quoting “In regione caecorum rex est luscus.” – In the land of the blind the one eyed man is king.  This quote is attributed to Desiderius Erasmus in the 15th century.   What does it mean?  It means that those who can see, regardless of how poorly, have an advantage over those who cannot see at all.  But what if they are as blind, if not more so, than those who they lead?   I believe many so called “leaders” within our industry, certainly those whose aim is to simply sell a product–treating all products as though they are simply widgets, are only slightly more enlightened (and I would dare say that many lack the vision, expertise and war wounds to truly speak with authority), those whom they call upon.   In general, I believe they do not contribute positively to the development of our industry, our profession, and our craft or to the environments or individuals that we seek to protect hourly, daily, weekly, monthly etc.   I have no time for the blind leading masses and refuse to allow blindness to exist in my dojo; does it exist in yours?

Ranks of the USMCArrogance in absence of merit.   I suppose this dove tails swimmingly with the previous topic of the blind leading the masses.   I question the wisdom of allowing those who lack the benefit of having experience both failure (yes one can benefit, learn and grow from failures), and success in our industry.  It has been said there are no atheists in foxholes.  I believe that as I’ve sat in foxholes in unappetizing parts of the world with others who held the same beliefs as I either prior to or directly entering said foxhole.  I believe that there is no substitute for experience and that expertise is the product of much failure, much victory often times hard fought and gained after much failure, diligent, relentless, tireless effort, passion and the belief in something greater than oneself, which leads to our calling.  Humility is something of an awe-inspiring thing to witness especially when demonstrated honestly, without pomp or pretense by someone who (in most circumstances), does not have to do so.   A healthy amount of arrogance gained from experience is fine.  However, a healthy amount of humility gained over time via the testing of one’s’ mettle is worth far more in my opinion.   I do not labor under the delusion that this is a commonly shared or ubiquitously held attitude in our industry, let alone within business however, that is OK.  I do not need to as my main concern is mastery of myself in order to serve the greater good and in doing so achieve a state of dangerous humility akin to that of the Samurai.  Arrogance in the absence or merit is not allowed in my dojo but humility is; what about yours?

paper dragonsPaper dragons.   This is perhaps one of the grossest irritants at work within our industry today.   The paper dragon looks impressive; is colorful, majestic and impressive.   Perhaps even intimidating in the right light and given the right platform.   Nevertheless, take away the right light, the right platform (an artificial platform perhaps), and examine him closely and you will see that his scales are actually paper and that so too are his teeth.   Upon further investigation you may find that not only are his scales and teeth false but so too his claws, and breath.   At which point you might ask yourself “What purpose does a dragon made of paper serve other than to look good and potentially intimidate from afar?”  My assertion is that the answer will be all too obvious.   Paper dragons do not exist in my dojo; they are unwelcome and will not be tolerated; what about in yours?

Have a great Friday!

Tags: , Filed Under Cyber Defense, Information Security Philosophy, PCI-DSS, Security Philosophy, Whitehat | Leave a Comment 

09.01.2009

sisyphusPCI DSS Compliance is a Sisyphean task.  I believe this wholeheartedly.   Though well intentioned, I feel it it is just as challenging as the price paid by Sisyphus for his transgressions against the gods.  The myths tell us that Sisyphus was a rather nasty bloke.  He was a king who believed he was above the laws of men and gods and was condemned by Zeus for his trickery to be chained in Tartarus by Thanatos (Death personified) for all eternity.   Sisyphus being the crafty fellow that he was, asked Thanatos to demonstrate how the chains worked and subsequently, chained Thanatos himself thusly disrupting the natural cycle of life and death.   This deceit led to Ares eventual intervention which led to Sisyphus’ final destination.  It is in honor of Sisyphus’ punishment that we in the modern world refer to tasks that are seemingly insurmountable as being of a Sisyphean bent.

I want to be clear that I am not suggesting those who are being tasked with meeting PCI DSS compliance have earned that fate by virtue of their wickedness as Sisyphus earned his, but that like Sisyphus, the net result is often an uphill battle that never culminates in victory.   It seems that the nature of the PCI DSS standard, and the interpretive flexibility given to  QSAs and ASVs responsible for conducting both audits and assessments result in cases in Sisyphean ends.  Regulatory Compliance (and this is not solely reserved for PCI DSS), has somehow become equivalent with being secure; the two couldn’t be further from the truth.   My good friend and former co-worker, Josh Corman is fond quipping that the PCI DSS standard has become the information security space’s equivalent of ‘no child left behind’; in other words a demonstration of too little too late.   I tend to believe that there is nobility in desiring to address the weaknesses which place so many (and so much), at risk however we cannot afford to ignore the lessons learned from Sisyphus’ struggle up the mountain.  A great deal of time, toil, and effort (let’s not forget exertion and pain), are required to get the boulder (or in this case audit criteria, artifacts, interviews, etc. complete) up the hill only to see it teeter and begin rolling back down.  But had the work been done to begin with, would the boulder ever meet the foot of the hill?  The the myth of Sisyphus offers many lessons in morality.  One which stands out in my mind is that actions have consequences and results may vary. 

 


Filed Under PCI-DSS, compliance | Leave a Comment