06.08.2010

A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever.   Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS).   He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID).   Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen .   The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.

Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over.   Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type.   In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding.   This case is different.   It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree).   No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.

As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him.  Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic.  The oath itself looks like this:

“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.

It is communicated in an elegant and articulate manner and leaves no room for interpretation.   Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation.   Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man.  That day and duty will come and justice served in a military court of his peers at a time yet to be determined.  My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness.   Allowing anyone to enter into classified environment with read / writable media is not uncommon.   Read writable material is used within these environments.  However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least.  In most cases it does not and never should occur.

This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others.  The results?  Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find.   Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.

Tags: , , , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Warfare, Next Generation Threats, risk management | Leave a Comment 

05.08.2010

One of my favorite parts of penetration testing is and always has been social engineering.   I love it.  In fact, I love it so much; I developed a real passion for it.  My passion led well beyond the traditional social engineering and evolved into the study and practice of more sophisticated techniques associated with socio-psycho manipulation.  It is a gift of sorts and who am I to question a gift?   When speaking with prospective or current clients with respect to security assessments I have often implored them to include both physical security analysis and social engineering.   This habit was formed upon entry into the world of professional security consulting where I sharpened these skills under the tutelage of many senior to me in both age and experience.   Almost all of my earliest mentors in this space were or had been active in the United States DoD or like intelligence services, most of whom shared a common pedigree not unlike my own hailing from the world of information security and intelligence.   These environments taught us to remain vigilant and open to idea that the unexpected should be expected therefore our ability to address anomalous events must remain categorically strong.

Over the years, within many engagements, activities of this nature were written into SoWs (Statements of Work for the lay person), and acted upon with full approval of parties both able to authorize such activity within and against their organizations and their legal representation (a detail I cannot stress enough that should not be overlooked).  We would engage reconnaissance carefully leveraging skills we had cultivated in our former lives and applying them to the commercial world.  We would engage in deep open source intelligence gathering and analysis in order to supplement our knowledge base regarding our target(s).  We would become familiar with the physical environment in which our targets could and would likely be found.  These locations would range from their places of business, to local restaurants and pubs, to local shopping districts to other geographic locales that we knew to be frequented by parties belonging to the organization, our target, in question.  All the while we would be looking for ingress and egress points in addition to ideal areas for initial contact and exploitation.   We would additionally identified areas in which useful information may or not be discarded by our targets that truly believed that no one would be interested (ah how I loved dumpster diving in my youth!).  Finally, upon having enough information we would begin our careful insertion and infiltration.   There is an art to doing this as much as there is a science and at times, the art becomes (or at least in my experience became), much more valuable.

These exercises almost always proved fruitful, as they would typically be multi-faceted involving multiple small teams each of which was cognizant of the others activities but all tasked with different missions during these exercises within the greater assessment.  Some teams focused more upon the physical compromise of the environment, the acquisition of credentials and knowledge which could be socially engineered or stolen and thus counterfeited to serve our purposes in pushing deeper into the environment escalating our mission per our SoW and charter.  Others would work on compromising individuals, seeking to gain their trust and subsequently their knowledge and any information considered noteworthy.  Others still work on electronic and social engineering utilizing e-mail, web and telephonic techniques all designed to gain the trust of our targets or members of our target organizations in the hopes of escalating our privileges and advancing our efforts.   This was good work.  It was important work.  And it was work that not all are capable of nor designed for.   To the layperson reading this post I imagine it sounds outrageous if not frightening that work of this nature goes on and is conducted by security professionals in an effort to test and assess the security posture of a client and to a degree I can understand that attitude.   However, this work is terribly important and often demonstrates weaknesses not previously accounted for within enterprise environments (public or private), during traditional security assessments and audits.

At this point you may be wondering whether or not there is merit in engaging a qualified team to do provide this type of service in addition to traditional services brought to the table as part of a security assessment.   My personal perspective is that if you have overt responsible for the risk posture of an organization and understand that security or the state of being secure is contingent upon the three legs of the security stool (people, process and technology) being dutifully tested and exercised you most assuredly should do so.   Failure to do so can expose you and your organization to a world of risk, which complying mindlessly with a three lettered data security standard or a mutagenic health-privacy act cannot hope to save you from.   So what are we to do?   First, if you haven’t already done so, conduct a meticulous review and analysis of your organizational information and physical security policies.   If you don’t have any now is the time to remedy this deficiency.   Should you (as I imagine most do, but will refrain from assuming), have these policies on hand review while employing a healthy dose of third party ego; remove yourself from the immediate, intimate involvement with them as they relate to your job and evaluate them as though you were brought in to do so as a third party.  Do they look mature?   Are they clearly articulated and well defined?   Are they comprehensive?   Do they address the natural bridges that occur between physical and logical security?   Provided you have the resources, engage them to conduct preliminary assessments (provided they are qualified to do so), and if they are found to be lacking in the ability, do not hesitate to contact professionals with the appropriate pedigree, background and reputation to speak to about scoping a statement of work on your behalf.   Remember that not every attack of a truly serious nature takes place across a wire and that many begin and end with a simple telephone call, a conversation around a smoking area or via a new hire.

Tags: , , Filed Under Assessment, Information Security Philosophy, Security Philosophy, Subversive Multi-Vector Threats (SMTs), risk management, threat | 1 Comment 

05.07.2010

By nature, I am an empiricist; it is who I am and works for me based on my bent toward analytics and multi-faceted (at times onerous),  levels of thought and pontification.   I am unapologetic about the way I approach things; it is simply who I am.   Having said that, I recognize that I am not – nor is my way of approaching things, universally embraced or right for everyone.   To assert otherwise would be intellectually dishonest.   I am particularly intrigued (and spend a lot of time reading and studying), determinism and randomness theory and philosophy.   For many of us, life is as simple as asking a question which the quintessential Canadian thinking mans band Rush asked on its 1991 album Roll The Bones “why are here, because we’re here, roll the bones”; while for others the question of why and perhaps more importantly the answer is not so simple.  I fall into the latter camp.

I a student of empiricism; I am a stalwart advocate of critical thinking and reasoning especially when it deals with philosophical schools of thought such as determinism vs. randomness and how they interact within the world in which I professionally live and work.   These ideas are not new.  In fact they are quite old.   They are in many respects extremely old and as a result of their vintage, they have been and remain the subject of great debate.   Authors and thinkers such as Nassim Nicholas Taleb, who wrote two of my favorite books on the subject : Fooled by Randomness and The Black Swan: The Impact of the Highly Improbable, go to great lengths to explain these concepts along with their impact on causality.    So too did David Hume, the famed Scottish philosopher, along with Karl Popper and Colin Howson.   Needless to say there is a long and strong tradition in examining deterministic vs. random philosophy as it relates to probability.   The concepts are as old as time itself; as long as mankind has had the ability to reason he has struggled with whether or not events occur due to deterministic causes (or more appropriately because of events which exist and influence other events thus arriving at the cause for a current event), or due to sheer randomness.  We are no different than our predecessor in this respect.   We seek knowledge with respect to the origins of things and events in addition to what there existence will mean to us as we move forward.   This desire to know unequivocally what influences outcomes and the probability of those outcomes is central to the theme of our existence.  As a result, it infiltrates (if we are paying attention), all aspects of our lies from the most complex to the least.   We find ourselves asking why certain things occur at the time and place that they did, and to what end.   I happened to be in New York City last weekend making my way to LaGuardia Airport via the Holland Tunnel at the height of the melee that was underway  surrounding the events of the car bomb discovered in Times Square.   Needless to say, traffic through the Holland Tunnel neither was less than forgiving nor was that which we encountered on way to Queens any better as a result.    On the trip into the city news commentators could be heard speculating with respect to the cause of this event.   Why would a young, respected young naturalized American citizen (Faizal Shahzad), find it acceptable to place a makeshift bomb in Times Square?  What was his reasoning?  His goal?   His message?   Who was behind the activity and what might be the logical extension seen as a result of this event? All valid questions.   All seeking validation with respect to understanding whether or not the causality associated with these questions and the event in question (not to mention the young man), was in fact deterministic in origin or random.  We know that it was in fact not random based on evidence that had been collected and authorities are continuing to investigate the events that lead to this event and ultimately influenced it from the perspective of cause.  We humans tend to this with all manner of things ranging from the serious to the trivial.

With respect to information security or security in general, I believe we do so more often than people realize.  Security or being secure, is in many respects dependent upon being able to detect, identify and observer causality.  In being able to accomplish these three things, we are better positioned to account and prepare for the unknown.  If you stop to think about that for a moment it should become quite clear that the act of securing anything – home, car, host, server, network, people – requires the acknowledgment  of historic reasoning (in both deterministic philosophy and randomness), while at the same time the acknowledgment of the unknown.

We see this often within the friendly confines of our industry.  Take for example the following:  An organization is instructed by a governing body that in order to achieve a state of conformity with its governing body the organization in question must meet and demonstrate achievement of x number of criteria.   Failure to do so will result in negative ratings that may or may not result in fines and / or the inability to conduct business transactions.   The governing body assumes that arriving at a state found to be in alignment with its standards will discount and eliminate (due to deterministic causality), any potential for randomness to manifest, thus negating the possibility.   But what if their assumption is wrong?   What if the data which they have assumed to be whole and comprehensive is not so?

I fear that this is more common than not within our space due to a lack of due diligence and grasp of historical accuracy with a forensic like precision.

Here’s another example:

A software-publishing house for quick processing of financial transactions develops an application.  It is seen as being mission critical to organizations that purchase it looking to capitalize off of any edge they can to beat their competitors to the market.   Speed in this case is very good.   The software publishers, realizing the importance and value of the application to their clientele decide to expeditiously develop and push the code to market rushing through all quality assurance (QA) and beta testing in order to beat the deadlines set by the executive teams in order to realize the greatest degree of revenue possible.  The developers run through the exercise of white boarding the data flow and block diagrams, technical requirement documentation, marketing requirement documents and product roadmap documents.     From there the code is pushed through the QA gauntlet at light speed and rushed into the beta testing customer environments.   Initial results are noted and brought back to product management and engineering who then wrestle with addressing the issues in a timely fashion in order stay within budget (both financial and time budgets), while not missing their window of opportunity within the market space.   The code is run through QA again, and pushed for GA candidacy.

But there is a fly in the ointment.   Some young (or not so young), perhaps charismatic (or at the very least quirky), individual is asked to look at the code or application as part of an audit and assessment and finds that low and behold it is vulnerable to an abundance of potential threats all of which can be exploited in a trivial manner.  At the same time this assessment is occurring the code and its publishers are reaping great successes and accolades.  The code, now a fully baked financial suite is swiftly on its way to becoming one of the most popular suites of its kind in 21st century business; yet, it is as vulnerable to exploitation as a runaway at a Port Authority bus station.  While our young or not so young, assessor of questionable charismatic quality, is reviewing the code, carefully noting the deficiencies and potential for complete exploitation, reports begin trickling into our software publisher that exploitative events have begun.  Worse yet, they were events that were not accounted for during initial or secondary quality assurance testing and thus perceived as being random.   We know however that randomness is simply the failure to take note of events that feed into causality, which therefore can be interpreted as a failure in paying attention to detail.   Perhaps one of the gravest mistakes anyone can make yet all too common within our world and history, let alone our industry.  So what are we to do about this?   How can we, as professionals convey a sense of urgency that supersedes and avoids a “chicken little” like knee-jerk response to events we encounter?  This is easier said than done especially in a world where information travels at the speed of light.   I believe that in order to achieve the proper perspective we need to encourage the following:

This is by no means a trivial event; nor has it ever been an easy proposition.   The ability to interpret historical events and data — even when they appear to be disparate and unrelated is paramount to achieving the goal of comprehensive deterministic understanding.  In short this allows us to avoid via scientific means the pitfalls associated with randomness and its associated theories.   In order that we may achieve this the ability to reflect upon our data sets and circumstance all while applying observing ego is of paramount importance.

Tags: , , Filed Under Assessment, Information Security Philosophy, Threat Modeling, risk management | Leave a Comment 

03.26.2010

When I think of information security in the broadest sense, I immediately think of managing and mitigating risk.   I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in both research and consultancy organizations), struggled to understand why there is opposition to this point of view.  Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’).    It pains me to know end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business.  It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment.

It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk and the establishment of a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization as a whole and on individual levels amongst business units and individual contributors.    Recently I engaged in a thought provoking conversation with the talented and engaging Mr. Dan J. Molina during which a substantial amount of time was dedicated to discussing this very matter.  During the conversation we discussed in no specific order many of the points, which are debated (some with greater degrees of merit than others), within our industry regarding risk management:

  1. Risk is inherent in all things; nothing worth doing (or not doing) can be said to be devoid of risk
  2. To understand risk one must embrace, not run from it
  3. Risk can be empowering if one takes the time to explore it or devastating if one ignores it
  4. Neither men or organizations of men (in business, government, or life), can eliminate risk; they can only work to manage it via mitigation with the hope of minimizing impact
  5. Too many people mistakenly equate risk management with compliance – the two are not mutually exclusive however they are by no means the same thing
  6. Risk management is hard and as a result of it being hard it is undesirable by many, as it requires. EFFORT!
  7. Risk management is an impossible or unrealistic ideal – Ranum / Schneier debate…it’s rubbish
  8. The practice of managing risk does not require the invocation of a ‘new school of thought’; there is nothing wrong with the schools of thought present and accounted for today or yesterday; adoption is a not dependent on the cohesive nature of the school of thought
  9. It is both irresponsible and fool hardy to operate as though risk does not require managing or that it is not present in all things

10. There is no way to force risk management into effect regardless of how compelling the data supporting it (actuarial data, circumstantial data etc.) is or might be

The discussion of these points gave way to another discussion on whether or not there was merit in simply ‘feeling secure’ as opposed to being secure and having to demonstrate a state of security vis a vis evidence of a mature risk posture.


We then discussed the importance of feeling secure as it relates to the demonstration of security vis a vis evidence of risk posture as they relate to the state of being secure.  For many ‘feeling secure’ as Bruce Schneier has pointed out in the past, is as or more important than actually demonstrating security via hard fact and unilaterally. I tend to agree with Schneier on this point that many would be comfortable operating under the belief that they are secure (regardless of whether or not it had been substantiated via qualitative and quantitative means), by virtue of how they feel as opposed to actually knowing they are secure.   In essence the argument boils down to a collective delusion, which finds everyone sharing the same experience; the same reality regardless of its accuracy.  This of course is dangerous at best and potentially cataclysmic at worst.

So how do we change the perceptions of risk management within our industry?  That is the question!  There are many ways to begin, though none are trivial.  The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not.  This is something, which cannot be legislated, nor can it be faked.   One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms or they do not.   It is as simple as that.  Risk management exercises (provided they are under taken), are unique to the individual organizations endeavoring to learn from the process.  These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it.   Open, honest discourse related to the data brought to bear is essential to this process.   Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny.  This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it.   By no means is it!   It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and (God willing), help remedy the madness which clouds and obstructs our collective vision.

Tags: , , Filed Under Risk, Security Philosophy, compliance, risk management | Leave a Comment 

03.19.2010

This post is very timely as we now have a use case that scratches the surface on exploiting Telematics.  For those of you that have never heard of Telematics, Wikipedia provides a great definition: “The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology). More specifically it is the science of sending, receiving and storing information via telecommunication devices”. In most new cars today, you have the option of purchasing Telematics to provide integrated GPS, Wifi, Bluetooth, 3G and GSM.  These innovations are great as it keeps us connected and on track to our destination.  Furthermore, OnStar has been incredible to determine if you’ve been in an accident and with GPS can send first responders to your location…even helps if you lock your keys in the car ;-)  I just recently purchased a jeep and enjoy the benefits of Telematics as most consumers of these technologies.  However, at RSA San Francisco, I had an interesting conversation with my close friend and colleague Will Gragido on Telematics.  We discussed the dark-side/security risks associated with Telematics.  We went down the path of eavesdropping on conversations via Bluetooth, which can be done but difficult to pull off as you need to be in close proximity.  We also went down the path of hijacking the car’s wifi to see if we could get access to the GPS data and the fun we could have with that content.  We decided to table the discussion for a while but kept it on our list of emerging threats/exploitable technology  that could provide a new avenue for cyber actors to exploit.

Sadly, in my hometown of Austin, Texas someone pulled off a nefarious act of exploiting telematics.  Wired actually ran the story this week.  They did an incredible job in the article and for more information you can check it out: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ .  In short, a 20-year-old Omar Ramos-Lopez was accused of bricking cars through a service provided by Webtech Plus.  This gives the auto dealer the capability of trigger the car horn and disabling the car’s ignition remotely through the web.  Omar, choose to trigger the horn of a reported 100 cars.  Let’s step back and put our Blackhat on…just imagine the order of magnitude that can be delivered from a key board in disabling the ignition of all car’s that are connected to Webtech Plus.  Not playing armchair quarter back…but I will….this is classic insider threat/dis-gruntled employee and could have been avoided.  Let’s get to the basic building blocks of Information Security.  When someone leaves an organization, passwords and access must be changed, especially if they deal with the capability of controlling the ignition of car.  Although, Omar committed a nefarious act and should be punished according to the law if found guilty.  However,  the company should have done due diligence and this is probably a wake-up call in changing procedures when one leaves the company.

As this is a wake-up call to the auto industry, we as security professionals need to keep this threat vector on our radar and if we serve this business vertical, we should press the issue and making sure access to this type of information is tightly controlled.  Perhaps their are frameworks around this specific threat and I’m looking for it.  Until then, keep secure and keep educating.  Your thoughts on Telematics?

Filed Under Cyber Crime, Next Generation Threats, Uncategorized, risk management | 7 Comments 

03.16.2010

Cyber-crime: Evolutionary End or A New Beginning?

At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed.   Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority.   Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible.   Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’.   The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities.   No.  In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all.  For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good.  There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so.  The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:

The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported.  The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US).  This growth represents a little more than two times what had occurred in the previous year.  One need not look too much further in order to see patterns emerging if they ever doubted they had existed.  That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.

For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics.  Through deep analysis an analyst begins to note trends and pattern development.   Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns.  Many factors influence these patterns of development.  In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study.  The following list, though detailed, is by no means complete.  It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):

Who’s To Blame?

We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary.  Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework?  Of course it would.  It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing.  It would also be intellectually dishonest and morally suspect.  I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously.  We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality.   We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet).  We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated.  In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.

First Steps

So who is to blame?  My answer is that we all have an ownership stake in this as I mentioned earlier.  We live in a world driven by deadlines and meeting/exceeding customer expectations.  There is nothing wrong with that.  Managing against deadlines is both noteworthy and sensible from a business management perspective.  I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later.   As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality.  Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).

Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative.  During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses.  My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle.  That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.

My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture.  In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.

Tags: , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Fraud, risk management | Leave a Comment 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

02.15.2010

Software is an essential, non-negotiable aspect of everything we experience in our daily lives.  It is a technological parallel of water to the biological realm.  All things within the worlds that govern the use and application of either software or water rely upon the sanctity and “cleanliness” of these resources in order to progress forward and ensure their existence.   Without a sense or guarantee of purity, much stands to be lost; most of which can only be hypothesized about or guessed at until an event of interest solidifies the inclinations of those who are speculating.  Consider all that you interface with on a daily basis, regardless of where you are located geographically on planet Earth.   Your communications systems, your medical and emergency response systems, your transportation systems, your drinking water and water treatment facilities, your power industry systems (end to end), your financial systems, your military systems etc etc.   This is a relatively short list and though that may be the case (and though I am fully aware of the greater scope of systems and technologies affected by software), we can see that precious little in the age in which we live exists outside the realm of engineering which is dependent upon secure software development.   Traditionally, software development lifecycles (SDLC) have been individually governed either by those parties responsible for the ‘framework’ of tools and / or coding languages which are used for development or by those parties within a given organization who have assumed responsibility for development are actively moving towards goals being set forth by their units of business which they support.  Whatever the case may be, there are certainly ample examples of glaring deficiencies within these processes, deficiencies which (when left unaddressed provided they are found or worse, ignored despite having been found), often have cataclysmic ends.

As professionals working in the business world, plying our tradecraft we need to ask ourselves, our clients, our customers and anyone else who will listen (ideally those who have a ‘Stake’ in the decision making process which impacts the generation and delivery of this code), why we allow an insecure state to exist in something so key to our everything we do.  There are many reasons one could point to for the existence of these deficiencies:

a) Meeting or exceeding expectations of the investment community

b) Exceeding the ability of the competition to get to market and thusly secure a more stable position

c) Realization of a conceptualized solution to a need / want in the absence of irrefutable data

a) Coding with security in mind is as much an art as it is a science however it can be, in repeatable fashion via soundly crafted   process & procedure in addition to training and encouragement of skill set development be achieved

b) Resource / personnel challenges

a) Self-explanatory but can certainly be expanded upon in more gross detail at a later time

a)  Art meeting science; one cannot rush greatness or soundness of design however one can, through the use and employment of the right people, process and technology achieve the goals and complete the mission

b) Patience is non-negotiable

a) People fear what they do not understand

b)  People fear what they do understand but are unable to influence and / or change

c) People fear what they cannot contemplate

The net effect for our discipline and tradecraft is that we see (and experience daily), the results of either poor or total absence of, proper SDLC.   We cannot afford to become comfortable or complacent in a system which has to date, zero accountability and as such many are looking at the present, towards the future with new, bold ideas in mind hoping to effect change.  One such organization is one which I have both the privilege and honor of being affiliated with, The Rugged Software Initiative http://www.ruggedsoftware.org/ and https://groups.google.com/a/owasp.org/group/rugged-software.  My friend and colleague, Josh Corman, along with David Rice (author of “Geekonomics” and security professional), and Jeff Williams (CEO, Aspect Security) developed this concept and, with the help / guidance of several industry figures, delivered the Rugged Manifesto and initial presentation which they presented and released at SANS Application Security Summit February 5, 2010.   This is not the first time an SDLC methodology has been proffered up for the masses however, it is one of the only times which I can readily recall that a collective body of like minded individuals from disparate elements of industry have developed a framework akin to this which they hope to see adopted by the masses as mechanism for combating the threats presented by the deficiencies I mentioned earlier and others as well.  That being said, I and my peers at Cassandra Security stand in support of Rugged.  Many of us have and continue to function in assessor & auditor capacities and understand all too well the flawed state of code in the world today through our own analysis and through the work of others.  We believe in the concept and the goal.   Do we believe that it will be adopted universally and that all software development flaws will be eliminated?  No, we do not but we are hopeful that in encouraging the adoption and support of this ideal that we as professionals, as colleagues can encourage industry to address the points I made above and those contained within the body of The Rugged Software Initiative and Manifesto in order to mitigate the risk.   Get Rugged, it might just save your life.

Tags: , , Filed Under Audit, Cyber Defense, Information Security Philosophy, Security Philosophy, risk management | Leave a Comment 

02.02.2010

In business, accountability is something that cannot be stressed enough.   This was true before the economic breakdown of 2009, and will continue to be long after.  Accountability is of paramount importance and perhaps more so than anything else, it is a good thing.   Accountability is something that at some base level, all humans can relate to.   Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’.   If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come.   Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.

Accountability is a good thing.  It is of imperative importance.  Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present).  Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence).  Accountability provides much more in the way of freedom than most would initially suspect.

As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability.   If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable.  We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable.  In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture.  Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams.   When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management.  There is blood in the water and sharks can smell it for miles off.

The impact upon the organizational culture, receptivity and tone becomes more pronounced as well.  The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units.  Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective.  Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes.  The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin.   This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).

You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to.   I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”.  Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”.  Crazy you?  Unrealistic?  Immature? Handsome (had to throw that in to see if you were paying attention ;) .  My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.

So how do we get there from here in the absence of accountability?   The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date.   Odds are, something does though the state and maturity might vary.   Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not.  This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, risk management | 2 Comments 

01.27.2010

This post is the first in a series of an in-depth review of some of the security challenges we see with cloud computing. In the following post you’ll find some very high level concerns we have regarding the innovations around cloud computing. More detailed analyses of the various cloud offerings will follow in the coming days and weeks.

Cloud computing has introduced a whole world of possibilities for everyone from the largest enterprise looking to reduce operational expenses down to the individual consumer wanting a place to store their summer vacation pictures. At first glance, the entire concept of cloud computing is a fantastic way to lower data center costs, reduce the number of personnel required to manage a system, save on software licenses and to eliminate the need to purchase a product or service that is not within your core competency.

My guess is that every enterprise is looking for some way to leverage “the cloud” in some form or fashion and the numbers of advertisements for web-based services geared to the small business and consumer are all over the mainstream media. All of these services are promising a lower cost, easier to manage solution or promising a “quicker” something whether it be a tax return or “anywhere” access to files. This generation of computing promises to be great, except for one thing: security.

By definition, security in the cloud computing infrastructure is not possible. That said, nothing is completely secure and risk free except maybe that computer that’s not plugged in and has no users or operating system but then what good is that other than to serve as a paperweight or to hold a floor down? Anyhow, ever since I was an “InfoSec toddler” three things have been driven in to my head:

1 – Confidentiality
2 – Integrity
3 – Availability

Those three simple words describe everything we need to know about security, no matter whether we call it network security, system security, IT security or that all encompassing term – information security. As I said in an earlier post on Cassandra, security is all about protecting information; I agree that it is no fun when a computer is infected with malware which causes the owner to have to rebuild a hard drive or worse, an “outbreak” occurs across multiple systems. It is bad when a gateway device or web server goes offline because of a DoS attack. However, in both of these cases if information isn’t compromised, it can be classified as an internal security event and not a reportable security incident. In fact, if it were not for the above tenets of information security, the attacks that compromised a browser flaw (a vector that was predicted by members of Cassandra Security in 2006 and 2007 to have severe implications to the security of our information) would have been nothing more than a patch event from a security perspective. Again, the time has not come to protect your critical information, it has always been here it’s just becoming more complex with advancements in technology. I would even argue that some forms of cloud computing, specifically Web 2.0 and collaboration, have led to the critical nature of the recent IE exploit that affected so many companies.

Security is all about protecting information and it has been so since the ancient Greeks would shave and tattoo a message to a slave’s head and send them across enemy lines to deliver that message. Whether we call it steganography or encryption, they found a way to protect information that needed to be delivered between two points. Yes, that person may have been at risk or, if that person was killed then the message didn’t get delivered, but there was limited harm because the enemy didn’t have the “key” to decipher the message.

This brings me back to my original point, by definition information security can not be assured in a public cloud computing environment and here’s why: the customer is still the data owner and they are ultimately the organization responsible for the CIA of their information. The act of transferring this information to someone else’s facility does not change that, rather it makes it more difficult.

Confidentiality is difficult at best and not possible at worst. In a public cloud environment, one must ask the vendor if they can guarantee the confidentiality of your data. In order to accomplish this they would have to do a few things:

Integrity is a bit easier than confidentiality of the data is encrypted and can only be accessed by your organization, however how does the hosting company guarantee that only your organization is accessing the data or application.

Availability is probably the most difficult because while you might have a service level agreement in place with the provider for access to their systems, you may have at least two other parties involved; those being the ISPs of the respective organizations. Can you get a guarantee from all of those organizations that your data is going to be available when you expect it to be available?

While this is not all encompassing of the security complexities introduced by the cloud computing initiatives, it should give an organization plenty to think about the next time they hear the advertisement that says “My cloud is secure.” I’m not advocating to not leverage the cloud, rather quite the opposite, educate yourself before exploring the benefits of cloud computing. Stay tuned for specific research papers on the security concerns in the various types of cloud computing and the services offered in that environment.

Filed Under Cloud Computing, Cyber Crime, Cyber Defense, Information Security Philosophy, Next Generation Threats, Risk, SaaS, Security Philosophy, risk management | 2 Comments 

Next Page »