Apparently, I am a man ahead of my time. While I have always sensed that there is something not quite right about the universe, scientists have just caught up with me. According to new ultra precise measurements, the universe is expanding faster than it should be. Maybe I am super sensitive, but I am wondering if everyone and everything else is trying to get away from us…
A presentation from this past week’s Chaos Computer Congress shows how totalitarian states (like, in this case, North Korea) can leverage open source software in furtherance of their evil aims of repression. Case in point – the DPRK’s Red Star Linux distribution. In this talk, researchers describe their examination of added “features” which appear to allow the government to track documents and media created on users’ computers, track where documents and media have been shared, and remove “objectionable” content (such as references to politically sensitive subjects) from users’ machines. One surprise feature of the Red Star OS is the ability to encrypt files and disks, although it is very likely (but not yet proven) that such encryption is rigged to allow government access to such data. The OS seems to be very good at protecting itself from “tampering” by users to disable these (and probably other) key features.
The video is an hour long and gets into some detail on Linux internals, but even if you are not a Linux/techy person, you will be able to appreciate the skill and evilness that the DPRK put into this.
On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club. At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.
Here is a 15 minute “highlights reel” from the panel…
And here is the full discussion, which ran approximately 45 minutes…
The participants were:
Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief
More videos from this event can be found here.
Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account. Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture. I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:
According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”
What security people need to understand is that the end users are not the problem. The end users are our customers (and one of the main reasons we have jobs). The problem arises from the increasing sophistication of attackers and their tools and ruses. In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money). Since then, the attackers have been getting better and better at their jobs. They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails. They do their homework, mining social media for personal and business information to make their clickbait more convincing. End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.
I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks. It has a great return on investment for just about every organization.
We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them. Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).
End users are not stupid. They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day. We have to step up our efforts to protect them, not call them a problem. That’s what we get paid for.
Go hug an end user today.
So, there are two different kinds of ambulances here in the US. BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation. EMTs do not administer drugs – we cannot even give you a Tylenol for pain. If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator. We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.
As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:
90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”
Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge. CPR works way better on TV than it does in real life.
Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this. Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers. For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses. According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.
There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:
These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data. They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them. Yet, time and again, companies fail to pay enough attention to them. Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.
So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them. As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.
Interesting blog post from Graham Cluley on LastPass’ support for using the Galaxy S5’s fingerprint reader as the key to your password vault. Since the S5’s fingerprint reader has been shown to be vulnerable to low sophistication fake fingerprint attacks, he wonders whether this (admittedly) very convenient feature is worth the risk. As a LastPass user, I don’t think I would base the security of the keys to my entire digital life on this particular piece of hardware. However, this does beg the question – is the low but non zero risk of someone getting hold of your phone and fingerprint exceed the risk of using the same damn password on every site you visit? LastPass also offers a mitigation for this scenario – it is possible to specifically permission which mobile devices can access your account. If you phone is lost or stolen, it is possible to revoke that permission (if you notice the loss or theft quickly enough). This is a risk calculation that users will have to make for themselves.
This is a really well written critique of our addiction to the news. According to the author, “News is bad for your health. It leads to fear and aggression, and hinders your creativity and ability to think deeply. The solution? Stop consuming it altogether.”
For me, this is one of those cases where I totally and emphatically agree with the writer, but can’t even picture taking his advice. I guess that I truly am a news junkie.
An interesting thought from Adi Shamir at #RSAC Cryptographers Panel… Cryptography has been becoming **less** important over the last few years. When you wanted to know Napoleon’s plans, you put a spy next to him. When you wanted to know Hitler’s plans, you eavesdropped on his comms. Today, spies are moving towards use of advanced persistent threats, which sit inside of the organization, and get/exfiltrate data before encryption happens. We need to start thinking about how to hide the important information from the APTs which are already in the organization.
OK – what are you more afraid of – sharks or cows? Well, according to the folks at Popular Mechanics (via blog Boing Boing), it is the crazed bovine death machines which are the real threat:
Between 2003 and 2008, 108 people died from cattle-induced injuries across the United States, according to the Centers for Disease Control and Prevention. That’s 27 times the whopping four people killed in shark attacks in the United States during the same time period, according to the International Shark Attack File.
It seems to me that information security risks are a lot like sharks and cows. We infosec professionals love to talk about, hunt and defend against sharks, like zero-day vulnerabilities, state sponsored cyber-weapons, and other exotic threats. However, it is the cows of the infosec world, like unpatched software, misconfigured systems and devices, human errors, and users falling for malware laden links or emails, that are much more likely to result in a system compromise.
When making decisions about where to put our limited infosec funds and resources, we need to decide whether the threat we are defending against is a shark or a cow. Let’s take care of the cows first – before they take care of us. Then we can have some fun and hunt the sharks!
