I love technology but I hate it in as many ways as I love it. I realize that makes me sound like a walking contradiction, and perhaps in some ways I am, but its true, I both love and hate it. I love the doors which have been and continue to be opened by it; the never ending supply of “what ifs” which can and often are, realized, as a result of our technological strides forward allowing us all to be the dreamers of dreams. I love seeing the results and wonderment created as a result of some new breakthrough (made possible only by and through the merit of technological advancement), which increase our quality of life (our real quality of life — the health and well being of our loved ones, our friends and countrymen), and those in parts of the world who, through no fault of their own, have not been the recipient of the same hand of cards as have you or I. I love seeing the joy and expression of awe on the faces of others (and myself when I am truly taken by something new), upon discovering new information about the world around us made possible through the blood, sweat and tears of those dreamers of dreams; those visionaries who seek (regardless of their discipline), to create and innovate.
All of these things are and will no doubt, continue to impress me as I am in many senses, an eternal student (it’s in the blood in our family), and will likely go to my grave “studying and researching” something. I accept this. What I don’t love about technology is the downside which we, not it realize and subsequently inject into ourselves and the world around. Non-sentient objects lack will to do anything on their own; they must be directed to do so and as such, I suspect this is the trouble with technology; it’s a people problem. Today I read an article which both saddened and infuriated me in all of 5 minutes time. In it, the GAO’s (Government Accountabilty Office), latest 66-page tome on the state of security persistence within the federal government. The quote that struck me most within the report is as follows “”Persistent weaknesses in information security policies and practices continue to threaten the confidentiality, integrity and availability of critical information and information systems used to support the operations, assets and personnel of most federal agencies,” Gregory Wilshusen, GAO director of information security issues, wrote in a 66-page report issued Friday. “Recently reported incidents at federal agencies have placed sensitive data at risk, including the theft, loss, or improper disclosure of personally identifiable information of Americans, thereby exposing them to loss of privacy and identity theft.”
I am sickened by this and to a degree outraged. That in the year 2009 after all which we as a nation have endured, we’re still left dealing with issues such as this is outrageous…or is it? Afterall, as one of my best friends is fond of saying there is no patch for humanity, perhaps we as an industry need to champion the people, process and technology more heartily and emphasize the fact that technology can only solve so many problems.
Icarus and Daedalus
And Icarus, having been overcome by the experience of flight, neglected the warnings and instructions of his father. He flew ever higher towards the sun, ignoring the fact that the wax holding his wings together was melting until it could be ignored no more. With arms flailing in a vain attempt to stay aloft, he fell to his death immortalized in myth for both his daring and foolishness. We live in a real world, one which if often less generous to those who are less inclined to pay attention to detail than to those who do so with a greater degree of vigilance. Daedalus knew this and tried to stress this to his son as they attempted their escape from the Island of Crete. Daedalus attempted to stress situational awareness to his son. Cautioning Icarus on the dangers of flying to high toward the sun or too low towards the sea, his purpose was pure and execution sound. Regardless Icarus did not heed the warning he received.
As the myth suggests the experience of flight was simply too much Icarus and regardless of Daedalus’ familiarity with risk management, Icarus chose his own path. He paid with his life, what greater could be paid?
Our world is no less dangerous than that of Icarus and Daedalus. Sure, most of us are not being held against our wills in a fortress in the Mediterranean Sea, but we are faced with threats daily whether we realize it or not. It’s a real world and because it is real it requires commensurate levels of awareness and activity to mitigate these threats. Attention to detail as Icarus discovered, can mean the difference between life and death In our world it can mean the difference between large scale data loss and extrusion via the compromise of critical assets or the prevention of such occurrences. Daedalus knew this and as such his approach was understandably different than that of his son’s. Did he face threats? Of course he did! In deciding to use his wings ro fly between the Sky and Sea, he decided upon an assumed level of risk. He demonstrated the appropriate level of situational awareness and as such arrived at his final destination. The story of Icarus and Daedalus is the story of each and every one of us. At any and every moment we are faced with vulnerabilities, threats leading to their potential exploitation and the levels of risk produced as a result.
Management of risk is essential to our survival in both business and our personal lives (and in some cases greatly influences the balance between life and death). It is both an art and a science; a philosophical as well as pragmatic endeavor. It requires situational awareness and the ability to (at times in an exhaustive manner), apply qualitative and quantitative analysis to a given set of inputs in order to arrive at a conclusion with respect to a situation / organizations posture at a given time. In many respects I believe that the industry has sacrificed risk management at the alter of compliance hoping against hope that in taking that path all threats would be mitigated and an acceptable level of risk would be arrived at. This is an infantile and dangerous approach to take when one has been tasked with ensuring the risk posture of themselves, their community, their place of business and their nation.
My background is heavily entrenched in risk management. As a consultant working with Fortune 500 to 10 organizations I and my peers had for years preached with an evangelical fervor on the importance of approaching risk management in a holistic manner. The goal being total accountability for all aspects of a given organization (physical, logical, financial etc.) In order to establish total asset valuation (for tangible and intangibles) and subsequent degrees of associated risk and maturity. Risk management is a non-trivial endeavor. To assert otherwise would be both irresponsible and unethical. The threat landscape is growing at a rate which cannot be ignored and the potential impact of not being prepared could result in Icarian ends. Its time for the industry and security professionals everywhere to re-evaluate their feelings and opinions about risk management and focus on what matters most in both the short term and long term. Icarian or Daedalian, which path will do you find yourself on? If you answered Daedalian I congratulate and salute you; keep it up and encourage others to do the same. If you answered Icarian there is still time to adjust your course before reaching disastrous ends.
Cracking SSN Numbers…
I was recently chatting with a few colleagues on data security and PCI-DSS. The topic of SSN protection came up with the recent media blitz of computer scientists from Carnegie Mellon University being able to predict your 9 digit SSN. For further information please check out this article from Wired: http://www.wired.com/wiredscience/2009/07/predictingssn/. In short, they have determined a “radical” way of predicting SSN’s. Additionally, if you were born after 1988 in a low populated state the deterministic algorithm is apparently more predictable. Is this something you should worry about? Honestly, this does not surprise me nor I’m I going to lose any sleep over it. The question we must ask ourselves is the organizations that house our Personally Identifiable Information (PII) using the proper safe guards to protect our data.
The emergence of regulatory compliance such as; PCI-DSS, HIPAA, etc are just the starting point. Your information is valuable to someone. The rise of Cyber Crime has surpassed the drug trafficking trade at over a trillion dollars a year. What are they trafficking; SSN, credit card numbers, passports, etc. The recent media blitz on this will raise awareness for sure and the counter measures we as individuals can control i.e.; giving PII over the phone/Internet. We need to ask ourselves, is certain information necessary to give out? As we rely more and more on the Internet for Commerce, social networking, etc the emergence and refinement of regulatory compliance is certainly going to grow.
The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.
Independence Day Cyber Attacks…
Multiple sources are reporting that a massive DDoS attack crippled several US and South Korea Web sites. The reports are claiming the attacks are coming from North Korea and/or Pro North Korean groups. The level of sophistication needed to perform such an operation as reported does not take a high level of sophiscation. I just recently gave a Web cast with SANS on Cyber Terrorism this last Tuesday. You can check out the archive: https://www.sans.org/webcasts/show.php?webcastid=92489. I gave a lot of examples of DDoS attacks that made the news and just how easy a Cyber Actor can tap into what I call HaaS (Hacking as a Service). The targets that were reported in the news were Government sites. Hence, they did not disrupt Critical Infrastructure or Social Networking sites, which probably would have been front page news. Is this just a sample of the capability that North Korea is flexing or do they plan to escalate the sophistication. When the level of sophistaction raises so are the counter measures we should consider.
DDoS attacks are very loud and send a clear message…it’s the slient attacks that require additional network forensics and data mining tools that are provide by vendors like Netwitness or Palantir. Event level data is great, but full session packet level data provides a much granular picture of possible attack vectors that fly under the radar. A great example of that is Ghost Net, which I talk about briefly in my SANS Web cast. The following link provides a great example of the level of detail that went into that investigation: http://www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network . As my fellow colleague Will Gragido said, what’s more powerful, a bullet, bomb or bit…depending on the criticality of the target, they all can have an impact.
The above comments are strictly mine and mine only, they in no way reflect the position of my employer, management or any other organization with which I’m associated.
The Costs of Securing Dangerously
Recently I attended a meeting where one party shared with me how he felt there was no reason invest in advanced security technologies, people or process due to his belief the organization was not a ‘prime target of opportunity’ I noted that in my journal as I’m prone to doing and thought about the idea and attitude associated with this line of logic. Security via obscurity isn’t a new concept; in fact it is quite old. It occurred to me however that here we were in the year 2009 and this line was being fed to me by a representative of a multibillion dollar corporation. Now, whether you have heard of this corporation or not is irrelevant (I’ll never disclose that so don’t even try), but what is relevant and to be honest, quite freightening, is the idea that there are large enterprises operating in this manner today. In the year 2009. It occurs to me that there are multiple problems facing organizations today which may account for this attitude:
- The inability to properly articulate a business case that is relevant to the state of the enterprise and the threats it faces
- The inability to properly assess the environment for risk and vulnerability leading to subsequent deficiencies in business case development
- The lack of true understanding with respect to the threat landscape / underground and that its not your father’s Internet anymore
- That many business executives are not enlightened to the potential risks their businesses are facing and such cannot natively connect the dots for themselves and arrive at the appropriate conclusions
This is just a short list and or course one which I’ve dealt with for years in various capacities while working in consultancies and with large security technology / solutions providers but it still concerns me. What troubles me is that the message is not being heard or that it is being drown out by other less relevant, though perhaps less disconcerting messaging. Now going back to the example of the fellow who shared that insight with me. He meant no harm in saying what he said and he geuinely could not fathom that his was a business which could end up as a target of interest to a malicious third party or worse yet an insider. In speaking with him at length and in gross detail I believe I made my points with respect to the realities associated with the threats that everyone (even his organization) face today regardless of their level of notoriety and didn’t even have to (though I could’ve), gone down the dreated regulatory route (there are needless to say regulatory bodies and auditors who this gentleman will likely be having interesting conversations with provided his attidute on the realities of the world do not change). I’m hoping I have the opportunity to go back and revisit with this organization and aid their development from immaturity to maturity with respect to risk posture. It’s not too late to begin.
Where the Wild Things Roam….
This has proven to be an interesting week so far for cyberactivity. Volume levels of malware have shifted even further in China’s favor yesterday reaching a level of 53% according to Trustedsource.org. They things have calmed a little with the volume numbers floating at approximately 47%. These numbers represent global estimates of malware origination and activity and by any account are high. It’s incredible. Not more than a year ago the Russian malware underground surpassed both the USA and China respectively but something clearly new and intriguing has occurred which has catapulted China to foreground of malware distribution. I’m sure the latest Microsoft Vulnerability aided in raising the levels yesterday. It’s an interesting vulnerability and thought to have made its way on to thousands of web-servers in China alone. Of course once compromised, the unsuspecting Internet user who stumbles across them with a vulnerable IE build is wide open to the introduction of malicious code and content. A version of an old scene. It’s an interesting time to be in the security field. What’s old is new again and in some cases what’s old is only now being recognized as new by the world The ‘wild’ has become much more so with the mass influx of nations such as China, re-energizing the business of malicious code and content. This morning, media reports here in the US have confirmed a massive DDoS attack which has affected Treasury Department, Secret Service, Federal Trade Commission and Transportation Department websites. The South Korean government has reported similar attacks (where compromised systems most likely bots, were instructed to visit and subsequently overwhelm several sites). Speculation regarding the origins of the attacks continues though many believe that the North Korean government is behind the activity. Today I’m off to conduct a presentation which I’ll be co-hosting. The audience will be predominantly comprised of folks from the energy industry and as such my portion of the talk will focus around next generation threat landscape information and examples of real and imagined to these environments. Should be an interesting day….can’t wait to see what happens next. Stay focused, stay vigilant and stay secure!
