A recap of RSAC 2017
RSA 2017 finished up last week - thousands of security professionals descended upon the Golden City, ready to learn about the newest technology.
If you made it to our booth, you heard us discuss how digital transformation is having a substantial impact on organizations in every industry. The cloud is becoming harder to navigate, with more products and solutions offered than ever before. On top of that, many organizations with a security program in place, are wondering how to keep up with the threat landscape and digitization.
I touched on this during my interview with Illena Armstrong, VP Editorial, SC Media at RSA. Organizations need a strong and flexible security program that is able to adopt and transition to new technological advancements for your organization. Watch the full interview below to learn about how the ability to adopt solutions faster can be cost saving, and key things to consider in the digital transformation... read more >
Is "Thingamageddon" an Imminent Threat?
In a recent article on www.darkreading.com, Matthew J Schwartz writes about the "Thingularity" that some security experts fear is about to be upon us.
The "Thingularity" or, perhaps more appropriately "Thingamageddon", refers to the push to create an "Internet of Things" (IoT seems to be the TLA for those so inclined) where all sorts of appliances and devices that were never previously connected to the Internet suddenly are.
But as the article discusses, the danger lies in the IoT becoming an Internet of "Thingbots". There have already been demonstrations and evidence of connected devices like media centers, refrigerators and TVs becoming bots used to send spam and participate in attacks.
Technology has a history of demonstrating that we CAN do something, often (always?) before we perhaps SHOULD do something. Call me... read more >
In Nathaniel Hawthorne's classic novel, Hester Prynne is required to wear a scarlet letter "A" that identifies her as an adulteress to the rest of the community. After having a child out of wedlock, the letter and the subsequent public shaming is her punishment for her sin and her refusal to identify the father.
Like Hester, organizations that have had a non-trivial information security compromise - and especially those that have experienced a breach of customer or confidential information - wear a similar letter today. In this case the scarlet letter "A" represents the fact that they have been successfully "attacked." And while the public impact of the letter may vary from slight public humiliation to the demise of the business altogether, the hidden impact within the criminal underground is incredibly consistent. Between the public acknowledgement, the bragging and the gossiping it’s a done... read more >
Most people assume IRP stands for “Incident Response Plan,” but after providing managed security services, as well as identifying and helping our clients respond to security incidents for 13+ years, Solutionary takes a different view.
Incident Response is about how you respond to an incident. While this is an accurate statement, it is not quite as simple as that sounds. Think about how this works in real-life.
Company A: Has an incident response plan but has done nothing to prove it actually works; they have great technical staff, and are confident in their ability to react to an incident if one happens. When they are breached, they react using an unproven plan. Someone calls the database administrator (DBA) who, unfortunately, left the organization 6 months beforehand. After some scrambling, the replacement DBA steps in. He does not have the same skills as his predecssor and accidentally... read more >
As always, there have been lots of interesting cyber security and incident reports in the media this week. While most typically report on a major train wreck that has already occurred, every once in a while we get a warning that has had zero impact that we should all nonetheless start thinking about. One of this week’s big thought provokers was reported by Antone Gonsolves in CSO. In Mobile devices set to become next DDoS attack tool, he reports on how an analyst from Javelin Strategy & Research is convinced that smartphones and tablets are expected to become a significant launching pad for distributed denial of service (DDoS) attacks against corporate websites. Although there hasn’t been a reported case of this yet,... read more >
I was perusingDarkReading, a favorite security news site of mine, when I stumbled upon this article,Talking 'Bout My Reputation, that discusses the underlying fact that in security monitoring, automation can only take you so far.
No matter how much context you have when monitoring (and more is always better!) you still need the understanding, creativity, experience, and knowledge of security experts to make the final verification and decision regarding the veracity of the information your security monitoring platform is providing.
In the article, one kind of context is discussed, security intelligence, but there are many other sources of context including vulnerabilities,... read more >
Last week it was reported a new breed of malware was discovered infecting computers in Iran and other middle-eastern countries. The malware, named Flame by Kapersky Labs, is making its way to the headlines at a rapid pace.
There is some speculation the malware may have been built around an existing platform and network discovery toolset called -- wait for it -- F.L.A.M.E.
F.L.A.M.E. stands for Flexible Lightweight Active Measurement Environment and was developed by Brazil's National Laboratory of Computer Sciences (LNCC) to enable active measurement within various systems on a network.
The software is quite extensive and includes an endpoint agent, a manager to control the agents and receive results, and a user console to interact with the manager. Additionally, the system has Lua embedded to use for "plug-in" development capability. Lua is a scripting environment that interfaces well with "C" code to enable new "plug-ins" to be... read more >
Maybe it’s the nature of our “always on”, “instant access”, “social media” world but I was talking with a fellow information security professional the other day and he was lamenting the fact that when he recently tried to discuss APTs with a customer their eyes sort of glazed over, checking their phone suddenly became a big priority, and they had to cut the encounter short because of a "thing" they had to take care of immediately.
I can't say as I blame them. The information security industry, always looking to find new ways to convey the seriousness of attacks they are defending against in the field rode APT harder than Seattle Slew in 1977 when the horse won the Triple Crown. And the “hype exhaustion” was perhaps inevitable. “APT” became the new buzzword du jour and if you didn’t talk about APTs and how you had the best solution for them, you were old news.
... read more >
Happy Thursday, SolutionaryMinds Readers,
No one wants to be that person that learns a lesson after something terrible happens. So, to reinforce the dangers I brought up in my post from August 9, check out this article in IT World and find out how a disgruntled employee was able to create virtual chaos. This virtual chaos would end up costing the company $800,000.
Just in case you were skeptical! read more >
As technologists and security practitioners, we tend to lump like things together to reduce complexity and identify trends. For instance, in describing the assets of a company we might break them down into the following general categories:
And we will likely further sub-divide those categories into things like
But aside from organizations that have to segregate based on their PCI Cardholder Data Environment (CDE) I rarely see much differentiation within desktops. They are secured, assessed, patched, and reported on as an aggregation.
This can be a very costly mistake in two very specific cases:
1) Corporate Account Processing... read more >
For years now, anyone involved with IT infrastructure and especially networking has been hearing about, perhaps contemplating, and maybe even preparing for the ever-delayed, but inevitable transition to IPv6. I personally have been sounding the alarm about the IPv6 transition for at least the past five years because I believe it presents an opportunity for a resetting of the information security landscape -- and I don't mean for the better. Here are five reasons I believe the transition to IPv6 will jeopardize security.
1) It will be harder to think about networks and routing
We are moving from a human-comprehensible system to a machine-comprehensible system. Studies have shown humans can retain approximately seven objects in short-term memory. I believe these and other human factors are going to severely limit the ability for us to visualize, and communicate our own networks without the use of tools. This will cause... read more >
RSA announced Thursday, March 17, 2011 that a possible APT may have revealed certain information concerning their SecurID products. Because of this, Solutionary is recommending that organizations take the following steps:
- The extent of the breach is not known at this point, however, there is nothing to suggest that SecurID has been compromised.
- Often times, quick fixes have great consequence.
Educate users and management about what happened. Emphasize:
- Likely social engineering activity, malicious in nature, attempting to leverage the confusion and hype related to the RSA breach
- Likely phishing techniques to “reset” or “validate” SecurID tokens
- Messages which seemingly are originating from...
For many years, I have been telling security personnel that in my mind there are no bad guys and good guys; there are only people that can hurt you. In essence, treat everyone as a bad guy and you will limit the damage any one individual can visit upon you.
My assumption in seeing the continued release of US secret, confidential and foreign access documents is that those materials were obtained from someone inside the organizations where the information originated. In the case of the Iraq and Afghanistan’s war related documents, we know this to be true.
Army intelligence analyst, Private Bradley Manning is facing a military court martial for his part in the leaking of the war documents. Obviously, Private Manning was given extremely broad access to war documents in his role as an intelligence analyst. But even beyond that, he was given control of the documents along with access. I hear this... read more >
I saw this headline the other day: “Undersea cable set to boost West Africa broadband”. My cynical, security-hardened mind fleetingly dwelled on the wonderful opportunity this presents to the academic and commercial sectors of Nigeria, before crashing headfirst into wondering what new cyber threats might emerge because of it.
Nigeria's penal code lent the “419” moniker to the class of scams that include deposed princes and government ministers with chests full of hidden cash, just waiting to be released with the kind help of a (greedy and ill-informed) stranger in a western country and their bank account details.
Given the level of cyber-activity we see on a daily basis from places in the world that combine good Internet connectivity, an educated populace, and a lack of local opportunity; it's no wonder that resourceful and clever Nigerians figured... read more >
Recently, a new disturbing phishing trend has developed; now hackers are using what was traditionally considered consumer banking focused phishing techniques on business and organizational targets. The FDIC just held a one day symposium that addressed the particulars of this new cyber fraud targeted trend at the Automated Clearing House (ACH) network. The discussions were eye opening on many levels.
The Federal Reserve (the public) and the Electronic Payment Networks (the private) process over 10 Billion payments a year, valued at more than $25 Trillion dollars. But what is ACH? ACH payments allow organizations to issue hundreds or thousands of payments in a cost-effective manner. You most likely encounter the ACH network every time you get paid, as direct deposit payroll one of the largest origins of ACH transactions. .
There are three main factors of the ACH vulnerability problem:
- ACH is used by just about every business in some fashion
-... read more >
Recently there was a report of Google being hacked. While the hype was actually bigger than the overall damage, it still bears to mind that we must always be vigilant with even what appears to be a friendly or unassuming email or link. It's hard to say whether the perp at large is sending out data-bait for the sheer thrill of it or has evil aspirations of stealing your identity and money--leaving you to clean up the mess.
The disclosure last week with additional details of the Google hack brings to mind the following thoughts and suggested actions:
1) Users are very often the weakest link in the security of your organization. Social Engineering and... read more >
I read this articlethe other day, and wanted to throw in my perspective about APT (Advanced Persistent Threats).
APT was coined by Mandiant. Kudos to them for putting a name to something, but it's not REALLY new. What is, perhaps, new is that non-federal government agencies are seeing APT threats start to be directed at them. Having said that, APT is USUALLY directed at organizations for political, economic (think stealing IP), and technical (source code, process details, etc) motives.
Here are a few basic "motive" questions that your organization should ask. Doing business in or with China? Looking to? Do you have carefully guarded trade secrets or a disruptive new technology or process that needs protection? Are you involved in large financial transactions, M&A, etc?
APT is not about smashing and grabbing, it's about methodically reaching your objectives,... read more >
I have long been a big fan of Nassim Nicholas Taleb's book, "The Black Swan: The Impact of the Highly Improbable." Personally, I think it should be required reading for all CSO's and information security and compliance personnel.
While the book has NOTHING to say about information security directly, it's focused on how we as humans perceive probability and risk, the tools we have created to measure and manage probability and risk, and why we do not anticipate the most significant events that will occur.
A Black Swan is an event that is:
- Highly Improbable - difficult to predict based on historical information
- High Consequence - yields a game changing and hugely significant impact
- Retrospectively Distorted - after the fact, it seems stakeholders should have seen it coming.
An example from Taleb's book is Ceasar's Palace in Las Vegas - where the four most significant risk events had nothing to do with the... read more >
I see that organizations are beginning to include customers in their overall information security program. This is a great idea that helps to build an ecosystem of security around your organization, provides an excellent opportunity to be seen as a thought leader that cares about your customers' security, and can even help build security awareness internally.
Providing customers with useful information to help secure their own PCs can avoid a breach of their system and the potential for guilt-by-association that can ensue.
An extreme example of this happened just before Christmas when a story was reported that a breach at Citibank had occurred and at least one customer had lost $1M from their accounts.
Citibank is a big target; this story immediately made headlines and was covered by the major media outlets. There was only one... read more >