Tag Archives: cybersecurity

Message queuing insecurity

I met with Maryellen Ariel Evans last week. She was in Israel on vacation and we had coffee on the Bat Yam boardwalk.   Maryellen is a serial entrepreneur; her latest venture is a security product for IBM Websphere MQ Series. She’s passionate about message queue security and I confess to buying into the vision.

She has correctly put her finger on a huge, unmitigated threat surface of transactions that are transported inside the business and between business units using message queuing technology. Message queuing is a cornerstone of B2B commerce and in a highly interconnected system, there are lots of entry points all using similar or same technology – MQ Series or the TIB.

While organizations are busy optimizing their firewalls and load balancers, attackers can tap in, steal the data on the message bus and use it as a springboard to launch new attacks.  It is conceivable that well placed attacks on  message queues in an intermediary player (for example a payment clearing house) could result in the inability of the processor to clear transactions but also serve as an entry point into upstream and downstream systems.  A highly connected stem of networked message queues is a convenient and vulnerable entry point from which to launch attacks; these attacks can and do cascade.

If these attacks cascade, the entire financial system could crash.

Although most customers are still fixated on perimeter security, I believe that Maryellen has a powerful value proposition for message queuing customers in the supply chains of key industries that rely on message interchange: banking, credit cards, health care and energy.

 

 

Tell your friends and colleagues about us. Thanks!
Share this

A strategy for combating cyber terror

Instead of getting some real work done this morning,  I started collating some thoughts on cyber security strategy. I guess it’s a lot easier to think about strategies than to fix buggy, risky code.

For most people – there are two worlds, the cyberspace world and the physical, people-populated world.

This dichotomy of two separate spaces has deeply influenced everything we do with information security.

There are corporate physical security people that handle doors and locks and phones and corporate information security people that handle data and network security. The two people and their staffs often do not report to the same manager.

On a government level, we have intelligence, military and police forces and cyber warfare and cyber crime groups inside each organization that may or may not be part of an integrated effort in the war on crime, drugs and terror.

It is a curious facet of our modern, technology-driven life that the adoption of a new technology is inversely proportional to the amount of publicity given to the technology.   Who talks about plain old phones?  Who talks about email as killer application? No one.

People still tend to discuss the Internet and Facebook and their own social/work lives as if they are separate entities.

Using this model of gradated technology adoption, we can see that social media has not mainstreamed to the point where it as much a part of our life as a phone.   When as many people use Facebook or other social media to the same extent that they use a phone, there will be little to talk about the “phenomenon of social media”.

However, there are already at least two large communities of people where the Internet and social media has already become part of their day-to-day work life.

These two notable examples are the software developer and hacker communities.  There is no cyber space and physical space, second life and real life; there is only the software and the communications channels that are a means to an end.

If physical, people and cyber space is a continuum, there is no reason to build a security portfolio that treats cyber space and physical/people space separately.

People attack other people and their assets using multiple channels: physical, personal, removable device, email, web, wireless and cellular. Is cyberstalking less severe than a man following women home from the gym?

1) The first part of my proposed cyber security strategy is to adopt a single continuum  of threat vectors,  people and  communications channels, whatever and wherever they are.

2)  The second part of my strategy regards means of reducing the cyber terror threat surface.

The academic definition of a terrorist, is a person who attacks civilians.

If we consider that cyber terror is not fundamentally different than bombers with suicide belts, we are drawn to consider the amount of damage caused by any terror attack whether on the street or in a database of customer records. Reducing the probability of attack means first of all, reducing the threat surface.

We can reduce the threat surface by dividing and conquering, keeping cyber terrorist strength small and counter-terrorist effectiveness high and deny incentives for glorification and bandstanding of cyber terror activities. To minimize the glam and sympathy factor, we should withhold real-time disclosure of information regarding the terror activities. See more on counter terrorism on the Wikipedia.  Because we live in a real-time world of smart phones, Twitter and satellite phones, denying real-time exposure is denying one of the key attacker advantages.

3) I am an advocate of proper thinking over brute force.  A government, and certainly a business cannot spend its way into a secure information posture.

This part of the cyber security strategy mandates spending less money on reactive countermeasures like anti-virus software and reduce vulnerabilities by reducing the number of Windows machines by 10% a year and using Linux and FOSS technologies instead that are cheaper and more secure.   I have written here, here and here about why using Microsoft Windows is a bad idea. The discipline of software engineering (older and much better developed than information security engineering) has known for years that adding people to a late software development project only makes it even later.   Adding more anti-virus software only makes the Windows PCs even more vulnerable.

If we are serious about leveraging private-public partnerships in the war against cyber terror, instead of pouring billions into big defense contractors, let’s call up information security professionals for annual reserve duty in the war against cyber terror. I believe that the Chinese and Israelis already do this.

4) The fourth part of the cyber security strategy is a to use offensive measures proactively against attackers before the fact and not after an event. Retaliation after an attack is not an effective security countermeasure for the next attack since it only gives the attackers free publicity and increases their motivation.  Taking focused, violent measures before an attack, given accurate intelligence, may be the best and safest way to reduce damage to civilian assets.

5) The fifth part of my proposed cyber security strategy suggests a demand-side strategy to reduce the social value of being a hacker.

Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. Perhaps we can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.

Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.

Since malware is a form of terrorism – this strategy might be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.

Tell your friends and colleagues about us. Thanks!
Share this

Offensive security

I have written several times in the past here, here and here about the notion of taking cyber security on the offensive

James Anderson, president of Professional Assurance LLC, says that there is no evidence that governments can protect large firms from cyber attacks. “National security authorities may not even acknowledge that their interests align with a company that has suffered a cyber attack; therefore, companies must think about retaliation,” he says.

Should a company take retaliatory steps beyond simply increasing its own defensive perimeter? The answer depends on the seriousness of the attack and the potential threat from future attacks. Anderson says that simply turning over evidence to law enforcement may not save the company from future cyber attacks. But, if the attack had to do with a government’s critical infrastructure, authorities may take an interest; however, there are no established service levels for government response.

For example, Anderson says some activities that might be considered retaliatory are:

  • legal information gathering to identify attackers,
  • direct blocking of network traffic from specific origins,
  • use of transaction identifiers that label the traffic as suspicious,
  • placement of honeypots,
  • identifying and actively referring botnet details for blacklisting or referral to authorities or industry associations, and
  • certain types of deception gambits against suspected internal malefactors.

This is not the first time that I’ve heard the notion of retaliation using cyber space methods. There are two things wrong with this direction – a) retaliation and using cyber security methods to attack the attackers.

The notion that there are two separate universes,  a physical universe and a cyber universe is wrong. There is one continuum of cyber space and physical space. Forget retaliation and go on the offensive.  That means use counter terror techniques to discover hacker cells, infiltrate and disrupt them in the physical world. The problem of course is the price tag. It’s cheap to mount a cyber attack but if an attacker knew that they would lose their life if they attacked a US government installation with malware, a deterrent would be created.

Retaliation doesn’t create deterrence – at most, retaliation makes people angry. Just look at the reaction of Palestinian terrorists to Israeli retaliation raids.

Retaliation in cyber space is too late, too little.  Instead – I call on the US and other governments to actively combat cyber terror with the same resolve that they attack physical world terrorists.

Tell your friends and colleagues about us. Thanks!
Share this

How to make Federal data security effective

I submit that a “no tickee, no washee” strategy might improve US Federal data security.

An article published in the Federal Times states that Cyber attacks on Federal networks are up 40% from last year according to a report compiled by the OMB (Office of Management Budget) that  is based on numbers reported by the DHS.

The US spends a lot of money on cyber security, over half of which goes to contractors like Raytheon and SAIC- who are part of the Obama Administration euphemistic private-public “partnership”.

A recent report by INPUT — “Federal Information Security Market, 2010-2015” — predicts that federal investment in information security will rise from $8.6 billion in 2010 to $13.3 billion by 2015 at a compound annual growth rate of 9.1 percent, nearly twice the rate of overall federal IT spending.

“Over the last year, federal agencies have seen a 78 percent growth in cyber incidents. This demand for increased information security is greater than any other current technology, leaving it more immune to the recent federal budget cuts.” Key drivers for the expected increase in investment in information security include a 445 percent increase in cyber security incidents since 2006, a shortage of qualified security professionals, and an increasingly complex and interconnected technology environment. “

In the relationship between the US government and IT security contractors, it’s actually in the interests of the contractors for the number of cyber attacks to go up – since if they went down – they might be out of a job.

The data from the DHS supports this hypothesis by revealing that over 2/3 of Federal agencies have unacceptable data security monitoring systems.

One would assume that the OMB would require Federal agencies to take affirmative action to improve their data security by linking budget to improved data security metrics but instead, the report makes a parveh politically-correct recommendation to improve IT security worker effectiveness instead of IT security countermeasure effectiveness.

In order to improve IT security countermeasure effectiveness in the US Federal Government, the OMB should reduce base payments to contractors and vendors who provide IT security services and data security technologies and link their compensation to a reduction in the damage caused to US government data and network assets.   By using metrics and well-defined targets (like 90% of the government agencies doing data security monitoring),  it’s possible to reduce Federal value at risk, but as long as contractors are feeding off the Federal milk cow at GSA rates it’s not likely to happen in our lifetime.

Federal agencies suffered 41,776 cyber attacks in 2010, up from 30,000 the previous year, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is tasked with defending the dot-gov domain and sharing information with industry and local governments.

Almost two-thirds of US Government agencies are not yet continuously monitoring their systems for vulnerabilities and intrusions at an acceptable level, and 8 percent of agencies had no monitoring program in place.

Last fiscal year, civilian agencies spent 74 percent of their IT security budget on government personnel salaries and benefits and contractors. Overall security spending made up 16 percent of agencies’ IT budgets. Contractors accounted for 54 percent of their staff, and government made up 46 percent. At the Defense Department, 68 percent of IT security workers are government employees.

Tell your friends and colleagues about us. Thanks!
Share this

Cyber crime costs over $1 trillion

A pitch from Alex Whitson from SC TV for a Webinar on the LinkedIn Information Security Community piqued my attention with the following teaser:

As you may have read recently, Cybercrime is now costing the UK $43.5 billion and around $1 trillion globally.

Sponsored by security and compliance auditing vendor nCircle, the Webinar pitch didn’t cite any sources for the $1 trillion number nor the $43.5 billion number.

A little googling revealed the UK government report UK Cyber crime costs UKP 27BN/year. Published on the BBC’s website, the report offers a top-level breakdown of the costs of cybercrime to Britain using a fairly detailed scheme of classification and models. Regardless of how badly UK businesses are hit by cybercrime, there are several extremely weak points in the work done by Detica for the UK government.

a) First  – they don’t have any empirical data on actual cybercrime events.

Given the number of variables and lack of ‘official’ data, our methodology uses a scenario- based approach.

Which is a nice way of saying

the UK government gave us some money to do a study so we put together a fancy model, put our fingers in the air and picked a number.

b) Second – reading through the report, there is a great deal of information relating to fraud of all kinds, including Stuxnet which has nothing to do with the UK cyber crime space. Stuxnet does not seem to have put much of a dent in the Iranian nuclear weapons program although, it has given the American President even more time to hem and haw about Iranian nuclear threats.

What this tells me is that Stuxnet  has become a wakeup call for politicians to the malware threat that has existed for several years. This may be a good thing.

c) Third – the UK study did not interview a single CEO in any of the sectors they covered. This is shoddy research work, no matter how well packaged. I do not know a single CEO and CFO that cannot quantify their potential damage due to cyber crime – given a practical threat model and coached by an expert not a marketing person.

So – who pays the cost of cyber crime?

The consumer (just ask your friends, you’ll get plenty of empirical data).

Retail companies that have a credit card breach incur costs of management attention, legal and PR which can always to leveraged into marketing activities. This is rarely reported in the balance sheet as extraordinary expenses so one may assume that it is part of the cost of doing business.

Tech companies that have an IP breach is a different story and I’ve spoken about that at length on the blog. I believe that small to mid size companies are the hardest hit contrary to the claims made in the UK government study.

I would not venture a guess on total global cost of cyber crime without empirical data.

What gives me confidence that the 1 Trillion number is questionable is that it just happens to be the same number that President Obama and other leaders have used for the cost of IP theft – one could easily blame an Obama staffer for not doing her homework….

If one takes a parallel look at the world of software piracy and product counterfeiting, one sees a similar phenomenon where political and commercial organizations like the OECD and Microsoft have marketing agendas and axes to grind leading to number inflation.

I have written on the problems associated with guessing and rounding up in the area of counterfeiting here  and software piracy.

Getting back to cyber crime, using counterfeiting as a paradigm, one sees clearly that the consumer bears the brunt of the damage – whether it’s having her identity stolen and having to spend the next 6 months rebuilding her life or whether you crash on a mountain bike with fake parts and get killed.

If consumers bear the brunt of the damage, what is the best way to improve consumer data security and safety?

Certainly – not by hyping the numbers of the damage of cyber crime to big business and government. That doesn’t help the consumer.

Then – considering that rapid rollout of new and even sexier consumer devices like the iPad 2, probably not by security awareness campaigns. When one buys an iPhone or iPad, one assumes that the security is built in.

My most practical and cheapest countermeasure to cyber crime (and I will distinctly separate civilian crime from terror ) would be education starting in first grade. Just like they told you how to cross the street, we should be educating our children on open, critical thinking and not talking to strangers anywhere, not on the street and not on FB.

Regarding cyber terror – I have written at length how the Obama administration is clueless on cyber terror

One would hope that in defense of liberty – the Americans and their allies will soon implement more offensive and more creative measures against Islamic and Iranian sponsored cyber terror than stock answers like installing host based intrusion detection on DoD PCs

Tell your friends and colleagues about us. Thanks!
Share this
Cyber warfare pentagon cyberwar

Why Pentagon cyber strategy is divorced from reality.

From the recent September/October 2010 issue of Foreign Affairs – William Lyn U.S. Deputy Secretary of Defense writes about defending a new domain.

The  long, eloquently phrased article, demonstrates that the US has fundamental flaws in it’s strategic thinking about fighting terror:

Predicting cyberattacks is also proving difficult, especially since both state and nonstate actors pose threats…..Given these circumstances, deterrence will necessarily be based more on denying any benefit to attackers than on imposing costs through retaliation.

And in summary:

“The principal elements of that strategy are to develop an organizational construct for training, equipping, and commanding cyberdefense forces …to build collective defenses with U.S. allies; and to invest in the rapid development of additional cyberdefense capabilities. The goal of this strategy is to make cyberspace safe…”

It is unfortunate that a politruk has so much influence on US cyber security.

The US and European governments consistently adopt strategic policies that were obsolete  years before they came into office.

Just as the Obama administration is crippled by flawed assumptions about the regional balance of power in the Middle East, Washington still sees security as an exercise in organizational constructs, inter-agency collaboration and better defenses and pats itself on the back for recognizing that there is a new domain of threats….when the Internet was invented 20 years ago.

Lyn’s laundry lists of strategic objectives phrased in politically-correct corporate-speak are the wrong answer for improving cyber-security. When Lynn himself, speaks extensively about the need for speed and flexibility, the answer cannot be more government-funded monolithic, bureaucracies.

The private – public partnership is particularly problematic in my view.    The really smart people in security technologies are at small startups – not at Raytheon and Symantec and all the other big corporates that have enough lobbyist resources to line up and eat pork from the Federal plate.  And – why – if I may challenge some conventional wisdoms – should companies like Symantec be allowed to influence US cyber defenses when they have done an abysmal job protecting civilian networks and digital assets? And – why- should Microsoft be part of the solution when they are part of the problem.

Perhaps the US should start by outlawing Windows and using Ubuntu which is not vulnerable to removable USB device auto run attacks.

Perhaps the US should start getting more humint on the ground instead of gutting the CIA from it’s human assets and relying on satellites and network intercepts.   At the time of 9/11 – the CIA had no human assets in Saudi and since the Clinton administration – investment in people on the ground has gone downhill.   I hear the sign in the CIA station chief office in Riyadh says “Better to do nothing then to do something and look bad”.

Perhaps the US should consider that there are numerous offensive alternatives to retaliation (which indeed is not an effective countermeasure due to the extreme asymmetry of cyber attacks).

Perhaps the US should consider that cyber attackers are not motivated by economic utility functions and therefore utility-function-based defenses are not appropriate.

The security concept proposed by Lynn is  sadly divorced from reality.

Tell your friends and colleagues about us. Thanks!
Share this

Designing a data security system

User-Driven Design versus User-Centered design

Alan Cooper, in his book The Inmates are Running the Asylum, draws a distinction between user-centered design and user-driven design. User-driven design is about collecting, prioritizing and implementing a system to the user requirements – we’ve all been seen software development projects where the requirements spiraled out of control and the project was a painful flop. On a project like that – it’s best to detect the warning signs early on and bail out in order to save your sanity and reputation.

User-centered design, on the other hand, is about listening carefully to the user and implementing friendly, reliable, fast and secure software that meets the user business requirements.

There is a lesson to be learned here for data security and data loss prevention –

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Obama cyberspace policy review

Last week, I got an email from the Internet Security Alliance (a trade association of companies like Raytheon and Northrup-Grumman that lobbies the government on cyber-security issues) with  Melissa Hathaway’s speech to the RSA Security conference.

Besides all the touch-feely stuff –  I didn’t understand anything she is saying (and I’m a native English speaker..). There were a few cute gems like this one:

“….Matthew Broderick in War Games, Robert Redford in Sneakers, Sandra Bullock in The Net, and Bruce Willis in Live Free and Die Hard. These and other movies present the types of issues that we should care about and solve together.“.

Ms. Hathaway’s perspective on security appears to be influenced by the movies, which is consistent with President Obama, who thinks he’s living in an episode of “The West Wing“. If you can figure out what she’s saying – drop me a comment in this blog. Let’s circle back in 6 months after the report is made public and see how many cost-effective security countermeasures the government Cyberspace security task force has produced.  Isn’t  “cost-effective” and “government”  an oxymoron?

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

Social contracts for cyber security

An information security industry trade association (the ISAlliance – Internet Security Alliance) has been promoting the notion of a social contract between government and the private sector to improve cybersecurity. The ISAlliance includes representatives from Verizon, the National Association of Manufacturers, Nortel, the CyLab at Carnegie Mellon University, Raytheon, and Northrop Grumman.

According to the ISAlliance – the free market-based, approach that the Bush administration has used to encourage companies to improve cybersecurity is not sufficient and the incoming Obama administration should form a cybersecurity social contract with industry based on economic incentives.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this