06.08.2010

A little over two weeks ago United States Army Specialist Bradley Manning was arrested and life as he knew it changed forever.   Manning, an intelligence analyst stationed at Forward Operating Base Hammer, 40 miles east of Baghdad, had implicated himself as being responsible for the disclosure of in excess of 260,000 classified documents that he harvested from military classified networks (SIPRNET and JWICS).   He shared this information with Adrian Lamo, well known “reformed” black hat hacker over encrypted instant messaging sessions ultimately culminating in Lamo turning to the United States Army’s Criminal Investigation Division (CID).   Lamo, who along with Wired.com journalist Kevin Poulsen, have been labeled as ‘snitches’ as a result of Lamo’s cooperation with the authorities and Poulsen .   The Internet is awash with speculation regarding this story with parties such as Julian Assange, founder of the Internet whistleblower site WikiLeaks.org – the site which Specialist Manning allegedly provided these documents and videos to, stating that were Specialist Manning responsible for the submissions (which Assange will neither confirm nor deny), he should be regarded as a national hero.

Regardless of your position on free speech or what only time, investigation and thorough analysis will reveal pertaining to the Manning case, gross misconduct occurred in what can only be described as a willful manner as it relates to Specialist Manning, his military occupational specialty, his rating, unit, command and brothers in arms the world over.   Philosophy, politics and idealism are the wildcards in our space; the black swans which, when identified must be taken note of as that which motivates them in many respects lies squarely outside of the norms associated with breeches of this type.   In most cases of espionage, which is candidly what this is — regardless of your feelings or philosophy, there are often common indicators that are noted and tend to be exploited by those seeking to exploit a party to do their bidding.   This case is different.   It’s interesting and quite candidly horrifying in that Specialist Manning (to the best of the data we have to date), was not motivated by greed or financial hardship (motivators seen in countless other cases such as the cases of Ames, the Walkers, or Hanson for example), or vice (as seen in the case of Lonetree).   No, by all accounts (again taking into consideration that these accounts are coming largely via third party relay and information being disclosed resulting from the communications between Manning and Lamo along with information provided by friends of Specialist Manning), Specialist Manning was motivated by that which we might most easily describe idealistic or philosophical.

As a result, I am going to refraining from weighing in within an opinion regarding guilt or innocence as no doubt Specialist Manning will be undergoing investigation and I would imagine a Court Martial as a result of the allegations being brought forth against him.  Certainly the communications he provide Lamo will act in building and strengthening the case against him and we would all do well to remember that Specialist Manning – like all Military personnel, swear an Oath of Enlistment which calls for the party swearing said oath to defend the Constitution of the United States from all enemies, foreign and domestic.  The oath itself looks like this:

“I, (name), do solemnly swear (or affirm) that I will support and defend the Constitution of the United States against all enemies, foreign and domestic; that I will bear true faith and allegiance to the same; and that I will obey the orders of the President of the United States and the orders of the officers appointed over me, according to regulations and the Uniform Code of Military Justice. So help me God.

It is communicated in an elegant and articulate manner and leaves no room for interpretation.   Beyond that, when one enters into a military occupational specialty which requires a security clearance one’s life and personnel opinions must be willingly put aside for the greater good as the lives of others more often than not depend on a clear, unwavering stance on service, obligation and duty to the nation.   Having said that, it should be noted that it is not my place nor is it my desire to pass judgment on this young man.  That day and duty will come and justice served in a military court of his peers at a time yet to be determined.  My real concern stems around the situational awareness of those in charge of the facility in which Specialist Manning worked on a daily basis and their procedural and operational effectiveness.   Allowing anyone to enter into classified environment with read / writable media is not uncommon.   Read writable material is used within these environments.  However, allowing them to leave the facility with read / writable material – regardless of how it was labeled (in this case Specialist Manning stated that he labeled a read / writable disk as a ‘Lady Gaga’ cd and proceeded to pretend to lip-sync to her songs while he was scouring secure, classified systems and networks for material which he later downloaded within a split compressed file), is unusual to say the very least.  In most cases it does not and never should occur.

This no doubt will be investigated by Army CID and others and will likely see the watch command, Officer in Charge and others investigated in order to proper assess whether Specialist Manning acted alone or in collusion with others.  The results?  Well we’ll have to wait for the results to be arrived at – we may never know as the Department of Defense may desire (and it is their right to do so), not disclose all that they find.   Regardless I cannot think of a better case to highlight the need for regular, and vigilant security awareness and educational training in addition to greater degrees of cognizance of the existence and potential use and hosting of onion routed repositories within networks (public or private), which may be used for questionable and in some cases quite clearly, criminal ends.

Tags: , , , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Warfare, Next Generation Threats, risk management | Leave a Comment 

06.04.2010

Today’s blog post has been kicking around in the recesses of my mind for a while.  I have been re-writing it for a while and decided to just get it out there so I can move on to other entries while still doing it justice.  It deals with a subject that over time has become much more popularized though not to the degree that other subjects within our space have.   Customized, designer malware.   Some industries and security practioners are much more familiar with this particular family of malicious code and content than are others.   Certainly key elements within the public sector (DoD, Intelligence Community) and private (Defense Industrial Base, High-Tech R&D, Biomedical R&D) are no strangers to this family but as for the majority I have to believe that it is still largely the stuff of myth and folklore.   When one considers the premise of these types of threats and payloads it becomes apparent that they are unique and quite problematic.  It’s a simple value proposition for the attacker:

  1. Study your target(s)
  2. Collect and qualify intelligence while making discretionary decisions on what to discard or retain
  3. Study and evaluate targets of opportunity – technical and non-technical
  4. Develop a strategy which takes into account tactical and strategic goals and allows for fluid diversion from one path to another should the opportunity cost be deemed too high or unreasonable
  5. Engage and begin insertion within the target environment
  6. Locate, identify and observe targets of interest paying special attention to people, process and technologies put in place to protect the targets
  7. Assess opportunity cost
  8. Engage in compromise
  9. Secure targeted object of mission

10. Extricate data and or target (remember the target could be something of a non-digital order, say a next generation telecommunications hand held for example)

11. Secure the target

12. Initiate process to either extort the rightful owners for profit or identify and initiate potential buyers who themselves have been qualified and are ready to engage in a transaction to secure the rights to the target in question

Sounds complex, perhaps even a bit fanciful or fictitious but rest assured dear reader it is anything other than fictitious.  Methodologies of this sort and other similarly enacted methodologies are utilized often within operations that focus on the use of customized and designer malware targeted at an organization or a specific individual within that organization for the express purpose of illegally acquiring information or assets belonging to that organization which – were they to be sold on the open market or destroyed, would have grave impacts upon the way in which the target or victim organization conducts its affairs.

As an industry we should take these threats and their growing prevalence every bit as seriously as some of the other more recently noted families of threats which have recently permeated the cultural zeitgeist.  In the same breath we as an industry need to be quite careful to avoid hysteria and any potential for ushering in an era of cyber-McCarthyism that sees us descend into a chaotic state fraught with implications, finger pointing, blinder-driven views and a lack of the irrefutable.

So how do we begin fighting these threats?  We begin very much in the same way in which we always do by preparing ourselves and forgoing the tendency to take the path of least resistance.   Many times attacks and compromises seen which fall into the family of customized, designer malware leverage as a basis, technologies which are well known and documented.  Root kits, backdoors, and Trojans amongst others have been noted effectively in these scenarios as have been various and sundry examples of ransomware.   I believe that new, enhanced taxonomic views are necessary in the modern world of malicious code and content analysis for combating these challenges.   These views must be much more comprehensive and at the same time reflect the realities occurring within the Internet threat landscape which at times are denounced as being fiction (e.g. if an attack is launched by a nation state or sub national entity for financial gain it cannot be an apt – this is rubbish).  Customized, designer malware may very well be a significant portion of the signal penetrating the noise in an effort to compromise and exploit our businesses, governments and personal lives on scale much more grand than had ever previously been considered.

Tags: , , Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Information Security Philosophy, Malicious Code, Malicious Content, Subversive Multi-Vector Threats (SMTs), Trojans | Leave a Comment 

05.04.2010

The Evolution of a Sub-national Entity in CyberSpace: The Rise of the Cyber Cell

Rise of the Cyber Cell


Tags: Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Cyber Terrorism, Cyber Warfare, Subversive Multi-Vector Threats (SMTs) | Leave a Comment 

04.13.2010

Any Given Tuesday

On February 16, 2010 the Bipartisan Policy Center’s national security preparedness group (led by Thomas Kean and Lee Hamilton), in co-ordination with former CIA Director General Michael Hayden and others.  I watched it as the participants worked their way through the mock scenario and like many in my field remained quiet with respect to the matter preferring to hear the comments of others prior to offering up any ideas of my own with respect to the exercise itself.  The role playing game took place in an alternate 2011.  In this alternate reality 2011 hackers distribute a free phone application containing a virus, which lets them do the following:

The scenario combines a series of quite serious events that individually pose major problems and collectively represent a disastrous situation:

Conclusions Made By The Participants: The U.S. Is Not Prepared For a Large Scale Cyber Event

Concerns and Comments on The Outcome

I struggled greatly with this for many reasons not the least of which is that I am a citizen of the United States, was born and bred here and make my residence here as well along with hundreds of millions of other Americans.  Former Director General Hayden along with others concluded that should an event such as this occur the outcome would be disastrous.   Though I understood the rationale being employed to conduct the test (it is hardly new – role playing scenarios have been used for decades to test preparedness), I was and to a degree, remain torn with respect broadcasting a message such as this one to the world at large regardless of whether or not it reflected true, current, state statistics.    My fear is that in sharing this type of information with the masses the result could very well be pandemonium and panic as opposed to curiosity leading to inquiries to congressmen and women or senators.

Warfare, after all, is a behavioral activity demonstrated by human beings toward one another; it is as old as time.  Archeologists have substantial evidence that suggests in no uncertain terms the realities of warfare long before history recorded the rise of the State as Westerners define it.  In his 1996 book, War Before Civilization by Lawrence H. Keeley (Oxford Press, 1996), a professor in the Anthropology Department of the University of Illinois Circle Campus, Chicago stated that “approximately 90–95% of known societies throughout history engaged in at least occasional warfare and many fought constantly.”  Cyber warfare is a logical extension of this mindset; a modern addition to a longstanding tradition replete with customs, courtesies, weapons and protocols.  I’ve written previously on the activity and attitudes held by certain nation states with respect to cyber warfare; some friendly others not so friendly to the United States.    The fact of the matter is that cyber warfare is real.  Debates suggesting anything to the contrary simply the product of the uninformed or those who wish to believe that things in the world were different than how they are.

Final Thoughts

Will we see acts of war or wars fought in cyber space?   I believe we’ll see a continuation of that which we’ve already seen and noted over the last two decades if not longer.   To assert otherwise would be foolish.   Will the manifest the way in which they did in the continuity / disaster recovery exercises described in ‘Operation Shockwave’(or for those who recall them operations ‘Black Ice’ and ‘Blue Cascade’ which took natural disasters or disasters introduced by sub-national entities and married them with cyber attacks)?  I wouldn’t want to speculate however I believe that though there is much conjecture with respect to this subject; much debate amongst industry pundits (some fluent, experienced and familiar with warfare and the cyber derivative and some not) that it is not beyond the realms of possibility.  A great deal of work has been done in the study of traditional warfare:

So too as it relates to the integration of defensive and offensive tactics, strategy and solutions and this I believe will continue as our need to address threats which exist on a logically driven front yet have the potential to impact the physical world will only continue to grow.  We have an obligation to do what we can however we can to protect our nation and our allies.   I still believe we should be more discrete with sharing information (I can’t unlearn that which the Marine Corps taught me), and hope that via proper educational channels (many of those participants within the Bipartisan Policy Center’s panel suggested and commented on the need to work with industry in order to ensure safe guarding of the nation), and we will arrive at a point where exercises such as this and the feelings of angst they produce, are no longer needed nor angst generating.

Tags: , , , , Filed Under Cyber Defense, Cyber Terrorism, Cyber Warfare, critical infrastructure | Leave a Comment 

03.26.2010

Introduction:

Just when you thought it could not get any weirder we bring you yet another installment of Bombs, Bullets, and Bits!  In fact this is Episode V and of the ongoing series and today’s installment focuses on the wonderment of open market promotion, marketing, and salesmanship within the sub-economic ecosystems of the underground.  Before we get going though I feel it is important to address a few key areas of economic theory in order to set the stage accordingly.

Adam Smith and Underground Sub-Economic Ecosystem of the Internet:

Adam Smith is revered the world over by economists and non-economists alike.  Smith (b.1723 – d.1790), wrote what is considered to be by many as one of the most important texts in economics and philosophy, The Wealth of Nations.  He is credited with coining the phrase and concept of the “invisible hand of the market” which, when allowed to move of its own volition, influences and churns economic cycles, conditions and markets in a natural manner reflecting basic and complex principles of conditions such as supply and demand.  If you’ve not studies Smith’s works I would suggest picking up his The Wealth of Nations, as it is timeless.  In the event you have not but are interested in understanding the basic premises of Smith’s philosophy (and if you intend on reading the remainder of this installment while being able to tie it all together), here is a short synopsis of the salient points contained therein:

Relevance to the Underground and You:

Ok, at this point you may be thinking “thanks for the economic philosophy lesson, but what does this have to do with the underground, malware, hackers etc.”, I’m glad you asked.  As we established above, every good and or service has what Smith called a “natural price”.  This “natural price” is determined by a variety of factors including at a high level:

As one might expect availability, efficacy or desired effect (what it does vs. what it does not do), and application are all capitalized upon by the seller when targeting potential buyers and consumers.  This is true in all markets to and including the various ‘sub-ecosystems’ of the underground.  In conducting research on botnets I recently ran across quite a bit of ‘marketing’ and solicitation, the likes of which would’ve made any professional sales team proud.   Want access to source code for a botnet to do with what you will? DDoS? SPAM? Malicious Code Infection? No problem, you can do it all with the right package.  In fact, in one case, the case of the ‘Blazebot’ botnet which I originally began tracking around a year ago, the author offered the following features to the highest bidder in the botnet’s final form factor:

Figure 1: Examples of Marketed Features In the Underground

Installation:
Service Startup
ActiveX Startup
Anti Debugger thread
Anti Dumping Mechanism
File Protection (can be seen on video)
Two types of process protection
Windows Firewall exception
Shared memory between service and userland app (ring 3)
User impersonation (Service steals a token from userland App to steal their data)
Pure API sockets (no ocx, csocketmaster or whatever)
Ring3 API unhooking
Commands: Update
-Allows users to update the bots with a newer version
Dump

-This will cover the retrieving of:
Windows serial keys
Antivirus/Firewall name
Basic Info
MSN passwords
Internet explorer passwords
Serial keys
Poison Ivy
-This command will download the preset shell code of Poison Ivy to memory to connect back to you for full control.
Download
-Downloads a file to HDD. Can also auto-execute and load DLL’s and EXE on request.
Execute
-This will run a specific executable file.
Nickname
-With this you can give specific bots commands
Exit
-Terminate your own process (does NOT uninstall)
Melt
-Program will uninstall itself
Unhook
-Bots will unhook themselves from API hooks in ring3
Self Patching
-You can let the bots patch their settings to connect to other hosts
DDOS
-This is basically a big bandwidth flood to take down hosts
Delete files
-self explanatory
Kill Processes
- self explanatory
Msn Spamming
This will spam anything you want into the ongoing msn chats without hooking anything.

In this case the author decided to take his project to the open market and solicit private bids.  Bids (which were rejected by the author), ranged from $50 USD to $400 Euros.  In the end the author sold the entire source code package to a private party who wished to remain anonymous for an undisclosed amount.  As part of the author’s campaign for a purchaser, he engaged in competitive marketing initiatives specifically targeting the ZeuS Botnet and community.  A key selling point made by the author was that unlike ZeuS he was selling the entire source code package not simply binaries thusly enabling the buyer to establish their footprint in the Botnet world in any number of ways all of which were at the command of the new owner.  Additionally, the author demonstrated the ability of the code to bypass detection of some 22 Anti-Malware engines.

Up On Olympus:

ZeuS is another wonderful example of this.  Currently, active orders are being solicited for 1.4.x.x of ZeuS with prices ranging from $4000 USD to $8000 USD depending on which modules are desired for specific functionality.  ZeuS is an interesting case in that older versions of the Botnet are easily had in the wild and can be used effectively though newer, more easily obfuscated versions of the code are available.  ZeuS is in extremely high demand, selling on a pre-order basis.   A testimony to its popularity and continued success for its authors, sellers and suppliers is its continued effectiveness in bypassing detection and delivering extremely high success rates in compromising hosts, impregnating them with malicious code & content packages with the end game being the establishment of participation within the greater command & control fabric.  These examples are certainly not representative of all examples of activity within the underground however they provide a clear and concise view of just how supply and demand are working on a routine basis.

Tags: , Filed Under Bot Nets, Cyber Crime, Cyber Defense, Malicious Code, Malicious Content, Next Generation Threats | 1 Comment 

03.16.2010

Cyber-crime: Evolutionary End or A New Beginning?

At times it can be very difficult to focus on the facts in a world where one is barraged by information in ways that the greatest of science fiction writers could never have dreamed.   Media figures along with industry pundits tend to spout facts and figures often in the absence of knowledge and authority.   Many times this leads to outcries amongst the information security intelligentsia who seek to ensure as little flawed logic and FUD (fear, uncertainty, and doubt) is interjected on a daily basis as possible.   Opposition from within the ranks of the intelligentsia is a good thing though many might suggest it is elitist and at times breaks from the tradition of all things ‘hacker’ in the sense that it establishes a clear ‘us’ and ‘them’.   The truth however is that not all members of this informal fraternity are “experts” on cyber-crime nor do they all have more than a working knowledge of it as it relates to their day – to – day roles and responsibilities.   No.  In fact, many if not most are engaged in other noteworthy endeavors with the hope being that those who do possess an acute understanding of this subject matter shall use it to the benefit of us all.  For many the overt goal is the sanctity of fact, preservation of information and its dissemination for the common good.  There is not one thing wrong with this attitude and in fact I would go so far as to suggest that we not only wish it to be the case but need it to be so.  The IC3 released its Annual 2009 report on cyber crime late last week and with it came a number of things:

The IC3 stated that the total dollar loss from all referred cases (that is cases which were referred to and studied by their team), was approximately $559.7 million dollars (US) with a median or average dollar loss per instance being reported.  The significance is quite noteworthy in that it demonstrates that from the year 2008 (which saw a total of $264.8 million dollars (US) in losses) to 2009, the IC3 saw an increase in losses of approximately $295.1 million dollars (US).  This growth represents a little more than two times what had occurred in the previous year.  One need not look too much further in order to see patterns emerging if they ever doubted they had existed.  That statistic alone should alleviate any doubt that cyber-crime is swiftly becoming (and will likely supersede) the most sought after element of modern criminal activity.

For many years, empirical evidence has been amassed and studied in order that trends could be determined via the careful application of analytics.  Through deep analysis an analyst begins to note trends and pattern development.   Similarly, an analyst would begin to note points of adaptation, deviation and evolution as they relate to the trends and patterns.  Many factors influence these patterns of development.  In the past I’ve found it both necessary and helpful to create impact lists of items that either influence or aid my topic of study.  The following list, though detailed, is by no means complete.  It demonstrates some of the more prominent elements at work (some of which the sub-economic environment shares with the traditional economic environment):

Who’s To Blame?

We could easily begin finger pointing and assigning blame to corporations and individuals alike however it is my assessment that was not and will not be necessary.  Would it be convenient to blame Microsoft for every bad piece of code written using their .Net framework?  Of course it would.  It would be just as convenient and likely every bit as easy to blame IBM for it’s rationale framework and in the same breath begin addressing the failures of individuals and organizations’ internal code developing.  It would also be intellectually dishonest and morally suspect.  I believe there is plenty of blame to go around and it is not entirely any one organization, or disciplines fault. It is all of our faults in the sense that we failed to communicate the value proposition of the importance of securing properly to avoid securing dangerously.  We speak of evolution, adaptation and sophistication as though they were the norm; part of the meme if you will of our industry though the evidence shows that there is significant disparity between idealistic states and those anchored in reality.   We talk of sophistication in attacks and exploits yet in many cases ‘sophistication’ isn’t even a consideration as many recently occur using unsophisticated means (Ghostnet).  We use terminology such as ‘elegance’ to describe the state that is arrived at upon being owned (and being made aware of said owning), by those with questionable or nefarious intent if a level of sophistication was demonstrated.  In reality, some of the more notable attacks of the last 18 months were not terribly sophisticated yet still quite effective.

First Steps

So who is to blame?  My answer is that we all have an ownership stake in this as I mentioned earlier.  We live in a world driven by deadlines and meeting/exceeding customer expectations.  There is nothing wrong with that.  Managing against deadlines is both noteworthy and sensible from a business management perspective.  I do however believe that sacrificing quality in order to meet deadlines introduces problems sooner or later.   As my father is fond of saying, you can’t cheat death and I think (at least in spirit), the same sentiment can be echoed with respect to doing poor work: you can’t cheat quality.  Often in my career I’ve worked with clients who simply could not afford to not meet deadlines (internal or external customer facing deadlines).

Recently my friend Josh Corman and I were discussing the basis for what became the Rugged Software initiative.  During that conversation we discussed many of the arguments – pro and con, (most of which are quite old it should be noted) related to SDLC (software design life cycle) and the challenges which seem to manifest into reality all too often in development houses.  My belief is that until SDLC is communicated in a manner to which demonstrates the value of the bits to the boardroom it will be an uphill battle.  That doesn’t mean it isn’t worth fighting but rather that until it resonates with the stakeholders, the business unit owners who set and oversee (and who are overseen by the board for example), it will likely fall on deaf ears.

My suggestion is that organizations and those charged within them for managing risk within and as it relates to them should begin by evaluating the organizational risk posture.  In doing so, provided the exercises are followed through upon, it will become clear what level of exposure the organization is incurring, what has been defined (formally or informally), as an acceptable level of risk and whether or not that needs to be re-addressed in order to align with the expectations set forth by the risk management team in preparing the organization for cyber threats such as those associated with ‘cyber-crime’.

Tags: , Filed Under Crime and Punishment, Cyber Crime, Cyber Defense, Cyber Fraud, risk management | Leave a Comment 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

02.15.2010

Software is an essential, non-negotiable aspect of everything we experience in our daily lives.  It is a technological parallel of water to the biological realm.  All things within the worlds that govern the use and application of either software or water rely upon the sanctity and “cleanliness” of these resources in order to progress forward and ensure their existence.   Without a sense or guarantee of purity, much stands to be lost; most of which can only be hypothesized about or guessed at until an event of interest solidifies the inclinations of those who are speculating.  Consider all that you interface with on a daily basis, regardless of where you are located geographically on planet Earth.   Your communications systems, your medical and emergency response systems, your transportation systems, your drinking water and water treatment facilities, your power industry systems (end to end), your financial systems, your military systems etc etc.   This is a relatively short list and though that may be the case (and though I am fully aware of the greater scope of systems and technologies affected by software), we can see that precious little in the age in which we live exists outside the realm of engineering which is dependent upon secure software development.   Traditionally, software development lifecycles (SDLC) have been individually governed either by those parties responsible for the ‘framework’ of tools and / or coding languages which are used for development or by those parties within a given organization who have assumed responsibility for development are actively moving towards goals being set forth by their units of business which they support.  Whatever the case may be, there are certainly ample examples of glaring deficiencies within these processes, deficiencies which (when left unaddressed provided they are found or worse, ignored despite having been found), often have cataclysmic ends.

As professionals working in the business world, plying our tradecraft we need to ask ourselves, our clients, our customers and anyone else who will listen (ideally those who have a ‘Stake’ in the decision making process which impacts the generation and delivery of this code), why we allow an insecure state to exist in something so key to our everything we do.  There are many reasons one could point to for the existence of these deficiencies:

a) Meeting or exceeding expectations of the investment community

b) Exceeding the ability of the competition to get to market and thusly secure a more stable position

c) Realization of a conceptualized solution to a need / want in the absence of irrefutable data

a) Coding with security in mind is as much an art as it is a science however it can be, in repeatable fashion via soundly crafted   process & procedure in addition to training and encouragement of skill set development be achieved

b) Resource / personnel challenges

a) Self-explanatory but can certainly be expanded upon in more gross detail at a later time

a)  Art meeting science; one cannot rush greatness or soundness of design however one can, through the use and employment of the right people, process and technology achieve the goals and complete the mission

b) Patience is non-negotiable

a) People fear what they do not understand

b)  People fear what they do understand but are unable to influence and / or change

c) People fear what they cannot contemplate

The net effect for our discipline and tradecraft is that we see (and experience daily), the results of either poor or total absence of, proper SDLC.   We cannot afford to become comfortable or complacent in a system which has to date, zero accountability and as such many are looking at the present, towards the future with new, bold ideas in mind hoping to effect change.  One such organization is one which I have both the privilege and honor of being affiliated with, The Rugged Software Initiative http://www.ruggedsoftware.org/ and https://groups.google.com/a/owasp.org/group/rugged-software.  My friend and colleague, Josh Corman, along with David Rice (author of “Geekonomics” and security professional), and Jeff Williams (CEO, Aspect Security) developed this concept and, with the help / guidance of several industry figures, delivered the Rugged Manifesto and initial presentation which they presented and released at SANS Application Security Summit February 5, 2010.   This is not the first time an SDLC methodology has been proffered up for the masses however, it is one of the only times which I can readily recall that a collective body of like minded individuals from disparate elements of industry have developed a framework akin to this which they hope to see adopted by the masses as mechanism for combating the threats presented by the deficiencies I mentioned earlier and others as well.  That being said, I and my peers at Cassandra Security stand in support of Rugged.  Many of us have and continue to function in assessor & auditor capacities and understand all too well the flawed state of code in the world today through our own analysis and through the work of others.  We believe in the concept and the goal.   Do we believe that it will be adopted universally and that all software development flaws will be eliminated?  No, we do not but we are hopeful that in encouraging the adoption and support of this ideal that we as professionals, as colleagues can encourage industry to address the points I made above and those contained within the body of The Rugged Software Initiative and Manifesto in order to mitigate the risk.   Get Rugged, it might just save your life.

Tags: , , Filed Under Audit, Cyber Defense, Information Security Philosophy, Security Philosophy, risk management | Leave a Comment 

02.02.2010

Today I read a blog entry which both amused and troubled me.  The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist.  In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike.   Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land…..  Let’s take a look at what he asserts.

First and foremost, he asserts that they are similar.   I find that humorous at best and borderline irresponsible at worst.  PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against.   It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences.  It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.

Anton asserts the following (whether in jest or in all seriousness is debatable):

  1. Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
  1. Both are not threats.  The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
  1. I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
  1. In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard.   I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated.  Fair enough, it’s your environment, do as thou wilt.   However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses.  The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering.   In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
  1. “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
  1. With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
  1. Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
  1. PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
  1. People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.

I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:

  1. To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
  2. To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
  3. To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security ;)

Tags: , Filed Under Advanced Persistent Threats (APT), Cyber Defense, Cyber Warfare, PCI-DSS, Subversive Multi-Vector Threats (SMTs), critical infrastructure | 4 Comments 

02.02.2010

In business, accountability is something that cannot be stressed enough.   This was true before the economic breakdown of 2009, and will continue to be long after.  Accountability is of paramount importance and perhaps more so than anything else, it is a good thing.   Accountability is something that at some base level, all humans can relate to.   Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’.   If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come.   Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.

Accountability is a good thing.  It is of imperative importance.  Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present).  Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence).  Accountability provides much more in the way of freedom than most would initially suspect.

As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability.   If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable.  We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable.  In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture.  Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams.   When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management.  There is blood in the water and sharks can smell it for miles off.

The impact upon the organizational culture, receptivity and tone becomes more pronounced as well.  The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units.  Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective.  Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes.  The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin.   This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).

You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to.   I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”.  Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”.  Crazy you?  Unrealistic?  Immature? Handsome (had to throw that in to see if you were paying attention ;) .  My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.

So how do we get there from here in the absence of accountability?   The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date.   Odds are, something does though the state and maturity might vary.   Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not.  This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, risk management | 2 Comments 

Next Page »