A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club. At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.
Here is a 15 minute “highlights reel” from the panel…
And here is the full discussion, which ran approximately 45 minutes…
The participants were:
Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief
Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account. Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture. I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:
The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals. Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”
Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management. Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.
The foundation of Information Security and Risk Management is the organization’s people and culture. Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program. Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.
While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.
Information security as a practice has changed significantly in the past decade. While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer. Perimeter controls are still necessary, but networks must be able to withstand an attack from within.
The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques. Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
Those of you who have the misfortune to know me personally know that information security is but one piece of the pie that is Al Berg. (mmmm…. pie…) On Friday nights, I swap my desk for an ambulance of the Weehawken Volunteer First Aid Squad where I am an Emergency Medical Technician. Most of the time, these two parts of my life don’t really intersect, but this week, I saw something that seems to bridge the gap.
So, there are two different kinds of ambulances here in the US. BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation. EMTs do not administer drugs – we cannot even give you a Tylenol for pain. If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator. We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.
As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:
90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”
Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge. CPR works way better on TV than it does in real life.
Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this. Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers. For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses. According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.
There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:
Documented policies and procedures
Least privilege for user accounts
Segmentation of internal networks
Applying security patches and updates in a timely fashion
Security awareness training
Sharing information with other organizations
These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data. They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them. Yet, time and again, companies fail to pay enough attention to them. Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.
So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them. As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.
Interesting blog post from Graham Cluley on LastPass’ support for using the Galaxy S5’s fingerprint reader as the key to your password vault. Since the S5’s fingerprint reader has been shown to be vulnerable to low sophistication fake fingerprint attacks, he wonders whether this (admittedly) very convenient feature is worth the risk. As a LastPass user, I don’t think I would base the security of the keys to my entire digital life on this particular piece of hardware. However, this does beg the question – is the low but non zero risk of someone getting hold of your phone and fingerprint exceed the risk of using the same damn password on every site you visit? LastPass also offers a mitigation for this scenario – it is possible to specifically permission which mobile devices can access your account. If you phone is lost or stolen, it is possible to revoke that permission (if you notice the loss or theft quickly enough). This is a risk calculation that users will have to make for themselves.
An interesting thought from Adi Shamir at #RSAC Cryptographers Panel… Cryptography has been becoming **less** important over the last few years. When you wanted to know Napoleon’s plans, you put a spy next to him. When you wanted to know Hitler’s plans, you eavesdropped on his comms. Today, spies are moving towards use of advanced persistent threats, which sit inside of the organization, and get/exfiltrate data before encryption happens. We need to start thinking about how to hide the important information from the APTs which are already in the organization.
OK – what are you more afraid of – sharks or cows? Well, according to the folks at Popular Mechanics (via blog Boing Boing), it is the crazed bovine death machines which are the real threat:
Between 2003 and 2008, 108 people died from cattle-induced injuries across the United States, according to the Centers for Disease Control and Prevention. That’s 27 times the whopping four people killed in shark attacks in the United States during the same time period, according to the International Shark Attack File.
It seems to me that information security risks are a lot like sharks and cows. We infosec professionals love to talk about, hunt and defend against sharks, like zero-day vulnerabilities, state sponsored cyber-weapons, and other exotic threats. However, it is the cows of the infosec world, like unpatched software, misconfigured systems and devices, human errors, and users falling for malware laden links or emails, that are much more likely to result in a system compromise.
When making decisions about where to put our limited infosec funds and resources, we need to decide whether the threat we are defending against is a shark or a cow. Let’s take care of the cows first – before they take care of us. Then we can have some fun and hunt the sharks!
According to a recent study by security firm Symantec, you are far more likely to encounter malware when visiting religious web sites than when visiting, ahem, adult sites. In an article describing the finding, Network World had this to say:
Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site–a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.