Thursday, March 27, 2014
The acquisition of social media scoring company Klout by social media enterprise company Lithium for $200 million dollars today (3/27/2014) raises a security question in my mind that has implications much broader than how this particular deal turns out.
I‘ve been invited to join Klout over the past couple of years, first by my friends (who didn’t realize they were inviting me), and later directly by Klout with come on’s like “Your Klout Score has Risen.” I’ve never clicked on them, or joined the Klout community, as I didn’t have a good appreciation of their security or privacy direction and commitment. That’s not to say it’s either good or bad, but just that it wasn’t conveyed as good, and the absence of good is bad. So when I saw the acquisition announcement this morning, I flipped over to the Lithium page, and checked out their corporate officers. They’ve got Chief Executive, Operations, Community, Customer, Scientist, & Product officers, but no Chief Trust Officer.
Looking further on their site, they list a solid group of security measures they take, which is admirable. But as I’ve experienced throughout my career, the bad guys will find six ways from Sunday to drive in between pockets of good countermeasures and rob you blind. Having a corporate officer that is committed to the security and privacy of clients is fast becoming a key differentiator in consumer-centric companies.
Cloud company CipherCloud recently named Bob West as their Chief Trust Officer. This is a great move both for CipherCloud as a company, but more importantly for their current and future customers. Customers want to be ensured that someone they trust is looking out for them. Customers don’t want to read your privacy policies, or evaluate if your application security controls are sufficient to meet your threats, or decide if the ever popular 256 bit encryption is the best choice (or even meaningful). They want to trust a person. And a Chief Trust Officer is that person.
Chief Trust Officers have un-impeachable security credentials, are well versed and current on the who/what/why/how of threats, have strong ties to law enforcement for event mitigation, understand the balance between protection and recovery, and the difference between compliance and security, are well versed on the emerging security technologies now available to solve previously difficult issues, and do their best work directly with customers under the bright lights of public scrutiny, not in the shadows of security. Your Chief Trust Officer should speak 'customer' as well as they do security, privacy, technology, and compliance.
In my book Mapping Security, I wrote a few years ago about the evolution from Chief Security Officer to Chief Risk Officer, and how industries like Energy and countries like Israel were early adopters. But ‘Risk’ still focuses on the negative aspects of security, where as ‘Trust’ embodies what good security has become today. Security is an enabler for business, and Trust is it’s engine. When consumers read about governments, criminals, hackers, advertisers, and hactivists trying to invade their privacy, and big name brands like Target and Niemans and Google not able to protect them, having a tangible trust link will make the business difference between success and failure.
As companies evolve and are looking to maximize every nuance of their social media, viral marketing, advanced advertising, and positive branding for their growth, they would be well advised to broaden their boardroom to include a Chief Trust Officer. Compliance and security are no longer enough to attract today’s consumer—they need to trust you.
Sunday, March 23, 2014
Somehow, as executives got promoted, CEO's got hired, and board members got selected, they all got confused. So confused that their security world is turned upside down, and it's their fault. And it's not just corporate executives confused about the security of their enterprise, it's everyone that owns a computer or smartphone that is confused about the security of their own personal enterprise. They somehow got the impression that the higher you are in your enterprise, the MORE computer and network access you should have. In fact, the polar opposite is true. Everyone has forgotten the tried and true security tenet of 'least privilege.'
Least Privilege is a fundamental security concept (who remembers the 'Rainbow Series?'), whereby you only grant the user (human or program) just enough access to perform their tasks. This used to be done all the time in programming, and is often done at the rank and file levels of enterprises today. For instance, the guy in the cube next to you can't access the HR system and look up your salary, because he doesn't have the need for that access. While the HR exec can see your salary, they usually cannot read sensitive company financials. But the CEO can see it all.
In a work setting, it's unfortunately common for senior executives (and therefore their assistants) to be given total access to their digital enterprise, like a master key for every computer, network, and file in their domain. Makes for a juicy target if you're a thief, and the thieves know it and are thriving on this simple lapse of good corporate governance. And that target becomes even juicier when said executives insist on taking their laptops and smartphones with them when they travel abroad (where governments have been known to snoop and share with state owned competitors), insist on downloading the latest privilege-grabbing apps, and insist on blithely connecting from any coffeehouse or other free wifi they happen along.
The key to fixing this rampant problem costs nothing but a little bruise to the ego. Executives should NOT be given keys to their kingdoms. Instead, they should be given just enough privilege to do the routine aspects of their job. While not the complete solution, this simple step will stop the vast number of adversaries that are looking for keys to subvert companies.
Before you condemn your company's execs, think about you and your own computers, tablets, smartphones, and home networks. Almost everyone gives themselves 'root' or 'Admin' access to their devices. When installing new programs, this high level of access is usually required, so that's what you take. This is exactly what today's thieves are counting on. At some point, they are going to trick you into clicking on a link that will take over your account. If your account has Admin privileges, then they have successfully taken over your enterprise. But what if your account only had just enough rights to run your apps, but not enough to make any substantive changes to your device? Then you will still have had your account compromised, but your systems will remain secure. If you don't have Admin rights to begin with, then you can't be the cause of them getting stolen.
What's the cost to implementing least privilege in your home and office? Zero dollars. A few more clicks for the few times you actually do need to load new software. And a hit to your ego because you're not given all the keys. So help me make 'least privilege cool. Brag about how little access your company gives you. Get excited when the malware you stumbled upon fails to execute and gives you an error message instead. Tell your friends and co-workers-- It's cool not to have the keys!
Having just this month (3/14) briefed hundreds of financial executives through their SIFMA annual education program at Wharton, and hundreds more financial fraud investigators through their Association of Certified Financial Crime Specialists (ACFCS), I can say with certainty that these are all the right questions to be asking asset managers, who not only manage huge multibillion-dollar portfolios, but also access and store extensive personally identifiable information (PII), which in itself is valuable to thieves today. Until recently, asset manager companies felt secure by their very obscurity, since they do not typically project a large profile to the media or population at large. But assuming the thieves won’t find you won’t work as a defense any longer, as our Global Threat Intelligence teams regularly track highly advanced and organized thieves that focus only on two things -- finding things of value, and determining how hard they will be to steal. So if you’re in business today and have anything of value (in the case of asset managers that have both money and PII), the only variable you can control is how hard you make it to steal. The security paradigm has to shift towards an inward focus. Securing the virtual supply chain is paramount when attempting to manage modern-day operational and reputational risk," reminds Tom Kellerman, managing director for cyber protection at Alvarez & Marsal.
Unlike the retail sector, which got some forewarning but some bad advice and no threat of regulation to improve, the financial asset management companies are getting forewarning and better advice, but also a hammer of SEC investigations to ensure compliance.
The SEC is right to focus companies on their ability to “prevent, detect, and respond to cyber attacks,” rather than attempt to tell each of them specifically which malware signatures to look for (these new ones change or "morph" constantly, so signature-based defenses won't find them).
--Prevention takes on a number of layers, including security education, roadmaps, architecture, monitoring, and management.
--Detection requires highly advanced and current techniques, technology, and talent, and trying it yourself or with standard commercial tools will generally lead to a false sense of security.
--Response has two critical success factors -- advance expert planning and access to the right team of integrated experts when and where you need them.
One of the key lessons that the asset managers can learn from the ongoing retail attacks is that they need to address the security not only of their enterprise, but also all of their supply chain partners that have access to their networks. In the case of Target, entry was gained by first breaking into a trusted supplier, and then using their access to get into Target's systems. At the end of the day, it's still Target that takes the hit. By flowing top-level security policies down to vendors and partners, you greatly reduce the chance that you’ll be successfully attacked from the bottom up. This can be done through a combination of security policy changes, purchasing contract changes, and more rigorous testing of your third parties. While these changes may cause some short-term consternation with your supply chain folks, the small efforts here could be the difference between continued operations and a total loss of trust to your client base.
While it may seem like the cyber sky is falling with the weekly headlines of new breaches, in reality the story for asset management companies is very bright. While these threats are real, and most certainly now active in asset management environments, security firms that have years of hands-on experience with these specific advanced threats (in defending Government and Defense clients) on top of decades of overall experience in the cyber defense business, not only have the tools to quickly detect what malware is inside your networks today, but also partner with you to protect and respond.
1 Jane Jarcho, National associate director for the Securities and Exchange Commission's investment adviser exam program, to Reuters on 27 January, 2014
Friday, January 17, 2014
The media is now very focused on Target, and the names of the criminals behind the breach. And while that's interesting, I have a great deal of confidence in Federal law enforcement in these cases, and believe that over time the criminals will be caught, the code name for the malware will become a verb, and then the media will lose interest and move on to the next story. Sometimes, the media is doing more harm that good with this story, with continued mis-information, bad advice, and incorrect focus (along with some really bad analogies and comparisons).
At the same time, shoppers are wondering who to trust (and voting with their feet), and merchants are wondering if they are next. That's what I've been focused on, giving a 30 minute on camera interview to CBS News that was edited down to 30 seconds. So I will reprint that advice here.
There needs to be much more informed public discussion, focusing on the three key things every retailer must do now to avoid being next, and the two things every customer should be doing now to prevent losing even more to this theft.
WHAT EVERY RETAILER SHOULD BE DOING NOW:
1) Proactive Incident Response: As Target and Niemens just found out (along with every victim before them), the time to plan your response is not the second after you get the call, but in the time before the attack. That way, you can build a plan, involve all the right people (tech, security, privacy, legal, comms, exec, compliance, board, business, partners, supply chain, etc), and craft your response perfectly. By doing this advance planning, you also get to line up your response team, and get them trained and ready to go, so they are responding within two hours of your call. Advance planning and having access to the trained team where and when you need them, are the to critical success factors in every incident response I've ever been part of over the past 20 years.
2) Layer in End to End (E2E) encryption and Tokenization into your existing payment processing systems now. Avoid recommendations from vendors that say "just add encryption" or "get PCI compliant", or "wait for EMV chip cards", as they are too simplistic and won't solve your problem today. By adding in true E2E encryption (meaning that the head itself encrypts when the mag stripe is swiped), the payment card track data in never in your possession, so it's not yours to lose. You can have all the memory scraping malware you want, but you can't lose what your don't have. But E2E on it's own won't work in most retail stores, due to their heavy reliance on back office data analytics engines that rely on that track data to do their analysis. That's why it's critical to also add in Tokenization, which converts the encrypted track data into forms and formats that have all the characteristics of card data, except has no value at all outside of your analytics engines. That way, retailers can have their cake and eat it too. Never have the data to lose, still get paid, and still perform all the analytics they need. And as opposed to waiting for EMV, retailers can implement this today, for a tiny fraction of EMV, and without waiting for the entire population to get new cards, and for every other store and processor to agree to pay for it.
3) Targeted Sweeps: While Advanced Persistent Threats are new to the retail sector, they are not all that new. I've been dealing with them for over 5 years now, at Government, Defense contractors, and financial service clients. In fact, while most commercial products won't find this type of advanced malware, it is possible using tools, techniques, and talent that has been there and done just that, we can usually find the tell tale signs on an advanced threat well before it does it's damage. And, since we know how bad guys think, we are able to aim it at specific targeted bits of your enterprise, thus getting the results you need in days instead of months.
WHAT EVERY SHOPPER SHOULD BE DOING TODAY
1) Call your bank, and get a new credit/debit card right now. Do not wait for your free credit report, but go directly to your bank and get a new card. Your old card is being offered for sale on hundreds of 'TOR' boards right now, and crooks around the world are buying them like hotcakes. There are boards that sell them for BitCoins, and others that will trade nefarious services in return for your card. Even terrorists are buying them to by their weapons. So the sooner you call your bank and order a new card, the better you and the planet will be. Run, do not walk, to your bank and get this done now.
2) Beware the scams. They are coming. While the information that was taken can be found in the phone book (or Google) and embossed on the front of your credit card (which by now you've replaced!), you will now be on what is known as the 'suckers list' for years to come. That means you've got to amp up your bull meter, and suspect everything you get in email. Remember, email scams no longer look like mis-spelled hodge-podges from Nigerian princes, but will look and feel like the real thing. So don't do what they say. It's not really from the FBI/USSS/Police asking you to do something... it's scammers that bought your name off the suckers list. It's not really the store that needs you to enter your info into this 'special' victims website... it's scammers that bought your name off the suckers list. If you really feel like you must comply, remember to never click on any link in the email. Instead, open a fresh browser window and type in the URL for the store or agency that you think sent you the email. If it's legit, there will be a message on their site that is more trustworthy.
So retailers-- find out if you're next and put a stop to it, and shoppers, change your cards and raise your guards. Oh, and major media, focus some time on helping solve the problem. You can learn a lot from Brian Krebs!
Saturday, December 28, 2013
In a time when many Critical Infrastructure companies around the world are feeling overwhelmed with stories of security threats from all sides, the year-end makes a great time to add a little perspective. So, based on my history in this space, plus the fact that my day job running CSC's global cybersecurity consulting business lets me talk to and help hundreds of executives around the world, I offer my perspective and what to watch for in 2014.
1. Incident Response Planning goes Mainstream
For every dollar spent on corporate information security, less than a penny has been spent on planning for the incident response. 2014 will see much greater board focus on the ability to respond to the seemingly inevitable incident, and that will drive advance practice and planning, and selection of your response team. Enterprises will stop being embarrassed by being attacked, and focus stakeholder attention on the efficiency of their response.
2. Big Data and Security meet at the SIEM
No matter how you define Big Data or how you pronounce SIEM (sim or seam), the evolution of these two tracks will combine to drive both your costs and risks down in 2014. Before, you had to know what to ask and how to interpret event data, but Big Data will change all that by analyzing everything and learning how to tell you where to focus. 2014 will be a year of teaching these systems how to be your eyes and ears.
3. Threats keep Evolving
More valuable stuff combined with even greater connectivity means that your adversaries will continue to evolve their threat vectors, creating ‘new and improved’ ways of stealing your stuff and disrupting your operations. 2013 gave us HumanMorphic APTs —2014’s crop will continue this dangerous trend.
4. Your Security Scope Expands
You thought your enterprise was hard to secure before, but in 2014 your security sphere is going to grow dramatically-- to include your suppliers, partners, and customers. It’s now your problem if they have an event, so helping them now helps you. Look for help from the White House in the form of EO-13636, and leverage lots of efficient ways to extend your security down.
5. Passé Passwords
While it will still be a few more years before Federated Identities lets you get out of the password business, 2014 will give you a lot of help in not needing to rely on them so much. Look for the best practices of the credit card and advertising worlds be brought to bear for enterprise access—where you know the user even before they log in.
6. Keys are the Key to the Cloud
Yes, you will move to the cloud, but it won’t be as scary in 2014 as it used to be, as long as you use the right architecture and always keep control of your encryption keys. Security becomes the enabler and new tech makes it easy to safely use efficient services like SalesForce and Dropbox, while keeping control of your environment in the clouds.
7. Smart Phones get Dumb Again
Your Bring Your Own Device (BYOD) plans have been held back, because your smart phones are too smart for your own good. Follow the latest trend toward using transparent virtual machines on these phones, turning them into dumb green screens when they access sensitive enterprise systems.
8. Transnational Crime becomes more concerning than Governments
2013 was the year of focus on what information governments are looking at, but in 2014 we’ll know that while many are looking (besides most governments, remember that social media ain't free, its a privacy tradeoff!), it’s the transnational criminals that are doing the worst things with it. And this will turn attentions from policy discussions to real security threats-- and how to stop them.
9. Shhhhhh! -- Securing your voice
With all the focus on securing the data, many enterprises are overlooking their voices. Between mobile eavesdropping on phones and cars, remote activation of microphones, enterprise VoIP, employee use of Skype, and even conference call numbers—your secrets are being talked about, and criminals are listening. Securing your voices will be as critical as the rest of your data, and luckily not any harder.
10. Quit It!
Squeezed between the increase in regulations, changes in technology, costs to hire, equip, and maintain security teams, greater governance, and increasing voracity and velocity of targeted attacks, companies will move to get out of their own security business, and create long term partnerships with professionals that have the trust, teams, scale, experience, and expertise to keep up. Your adversaries are working together—it’s critical that companies team up to defend themselves.
Lagniappe: Secure the Robots!
As our enterprises (and lives) become run by Industrial Control Systems (ICS & SCADA) that turn on and off our power, route our planes/trains/automobiles, dispense our drugs, deliver our food and water, mine our resources, and build our products-- the security of these ICS devices will become even more of a critical priority.
Sunday, December 1, 2013
No eCards Please!
Thanksgiving, Chanukah, Christmas, Kwanza, New Years… tis the season for sending holiday cards to those we like, plus our family and business associates. And now more than ever, I ask you, Don’t Send eCards!
If you like me, are related to me, or work with me-- don’t send me one of those fancy eCards with pictures and characters that dance and sing, twerk and sparkle, or are just the wittiest thing you’ve ever seen. If you really like me, please send me a card that looks like this:
Tom.. I wanted to wish you a happy holiday. I deliberately chose not to link to a graphics site or add an unexpected attachment, so you would know that not only do I like you, but I respect you enough not to send you something that might be confused with malware.
Or for those that need to draw a picture as much as draw a breath, you might follow this tried and true graphic approach and add:
This season, just like last and the one before that, many millions of accounts will be used to send many hundreds of millions of malware-laden emails disguised as a holiday greeting. While some will still have ridiculous misspellings, bad grammar, and come from email accounts like email@example.com , a vast many others will appear to come from your family, friends, and coworkers who have been duped into passing along this malware—and these will look real.
This years hot malware is much worse that last years’, as it is likely to carry the CryptoLocker ransomware, which encrypts all of your files and then demands a payment of $300 dollars to get the key. While we strongly recommend off-line backups like a thumb drive (since CryptoLocker also tries to encrypt automatic backup sites with some degree of success), it’s better just not to get infected in the first place.
Lets not make it any easier for the bad guys by clicking on anything with the word ‘Holiday’ in the title. Instead, send and receive just as heart-felt, just as thoughtful, and just as clever holiday greetings, but do it the old fashion way-- Use your words.
P.S. If you really want to stand out, you could go the retro look and use paper cards, stamps, and the Post Office!
Tuesday, November 26, 2013
Slowdown Healthcare.Gov(This blog is completely apolitical, and is focused solely on the security and technology issues of the Affordable Care Act (ALA))
It’s almost the ‘end of November’, and it may seem counter-intuitive to some who have never run a large technology project before, but creating artificial deadlines like these and racing to the finish line runs counter to good security practices, and thus might do more harm than good in the quest to launch Healthcare.Gov
Imagine a programmer faced with this ‘end of November deadline’, and being pushed to get her new code checked in and functional. Is she going to take the extra time necessary to ensure that these most recent changes didn’t adversely effect the security policy? Or is she going to do a quick review and submit the code, because the “President of the United States” needs this to work by the end of November!
By all accounts, Healthcare.Gov is the work of many different parties, with many different bosses, aiming to do something great (I realize that might be political, but wouldn’t it be great if all Americans really could have good healthcare without our rates/taxes rising or our quality of care declining!) that has never been achieved before. And in order to achieve that greatness, it needs to capture, route, and hold much of our personal information (PII).
I’ve worked on the security of many a healthcare system, going back to President Clinton’s (ok, Mrs. Clinton’s) pet Healthcare Open Systems and Trials (HOST) project in the 90’s. The security and privacy of patient and insurance records was always the lynchpin in the system. Finding ways to keep patient information away from those that shouldn’t have it, yet available to those that need it, is not an easy concept to balance, and as an industry we’ve been working on the online version of that very equation for the past 20 years. In fact, Mrs. Clinton challenged us with her healthcare version of Star Trek’s Kobayashi Maru, the impossible test that needed to be cheated to win. We failed back then, because we couldn’t compromise on security.
The problem is much harder now than it was back in the 90’s, since much of what the Internet uses to protect itself-- system encryption, air-gaps, firewalls, and more—has proven to be childs play to a determined attacker, and the more hands involved in the process, the more gaps they are able to slip through. When there’s this much money at stake (the average medical or insurance record sells for over $50 bucks on the black market -- multiply that by the number of Americans!), there are some VERY determined attackers out there (criminals looking for money, foreign powers looking for the ability to destabilize, hacktivists looking to push their agenda).
So while the goal of creating this November line in the sand is commendable, in practice it is counterproductive. All these last minute changes WILL change the security situation, and SHOULD be given the time it takes to test every way possible. I have good friends desperate for this to work, as they aren’t able to buy real insurance any other way. But I’d rather have them is a safer system soon, than a rushed system that might compromise not only their information, but all others too, which will undermine the trust in the overall ALA program and put everyone’s healthcare at risk.
So Secretary Sebelius, please slow down. Mr. Zients, take your time. It’s more important to get it right. It’s really important.