Saturday, December 28, 2013


In a time when many Critical Infrastructure companies around the world are feeling overwhelmed with stories of security threats from all sides, the year-end makes a great time to add a little perspective. So, based on my history in this space, plus the fact that my day job running CSC's global cybersecurity consulting business lets me talk to and help hundreds of executives around the world, I offer my perspective and what to watch for in 2014.

1. Incident Response Planning goes Mainstream
For every dollar spent on corporate information security, less than a penny has been spent on planning for the incident response. 2014 will see much greater board focus on the ability to respond to the seemingly inevitable incident, and that will drive advance practice and planning, and selection of your response team. Enterprises will stop being embarrassed by being attacked, and focus stakeholder attention on the efficiency of their response.

2. Big Data and Security meet at the SIEM
No matter how you define Big Data or how you pronounce SIEM (sim or seam), the evolution of these two tracks will combine to drive both your costs and risks down in 2014. Before, you had to know what to ask and how to interpret event data, but Big Data will change all that by analyzing everything and learning how to tell you where to focus. 2014 will be a year of teaching these systems how to be your eyes and ears.

3. Threats keep Evolving
More valuable stuff combined with even greater connectivity means that your adversaries will continue to evolve their threat vectors, creating ‘new and improved’ ways of stealing your stuff and disrupting your operations. 2013 gave us HumanMorphic APTs —2014’s crop will continue this dangerous trend.

4. Your Security Scope Expands
You thought your enterprise was hard to secure before, but in 2014 your security sphere is going to grow dramatically-- to include your suppliers, partners, and customers. It’s now your problem if they have an event, so helping them now helps you. Look for help from the White House in the form of EO-13636, and leverage lots of efficient ways to extend your security down.

5. Passé Passwords
While it will still be a few more years before Federated Identities lets you get out of the password business, 2014 will give you a lot of help in not needing to rely on them so much. Look for the best practices of the credit card and advertising worlds be brought to bear for enterprise access—where you know the user even before they log in.

6. Keys are the Key to the Cloud
Yes, you will move to the cloud, but it won’t be as scary in 2014 as it used to be, as long as you use the right architecture and always keep control of your encryption keys. Security becomes the enabler and new tech makes it easy to safely use efficient services like SalesForce and Dropbox, while keeping control of your environment in the clouds.

7. Smart Phones get Dumb Again
Your Bring Your Own Device (BYOD) plans have been held back, because your smart phones are too smart for your own good. Follow the latest trend toward using transparent virtual machines on these phones, turning them into dumb green screens when they access sensitive enterprise systems.

8. Transnational Crime becomes more concerning than Governments
2013 was the year of focus on what information governments are looking at, but in 2014 we’ll know that while many are looking (besides most governments, remember that social media ain't free, its a privacy tradeoff!), it’s the transnational criminals that are doing the worst things with it. And this will turn attentions from policy discussions to real security threats-- and how to stop them.

9. Shhhhhh! -- Securing your voice
With all the focus on securing the data, many enterprises are overlooking their voices. Between mobile eavesdropping on phones and cars, remote activation of microphones, enterprise VoIP, employee use of Skype, and even conference call numbers—your secrets are being talked about, and criminals are listening. Securing your voices will be as critical as the rest of your data, and luckily not any harder.

10. Quit It!
Squeezed between the increase in regulations, changes in technology, costs to hire, equip, and maintain security teams, greater governance, and increasing voracity and velocity of targeted attacks, companies will move to get out of their own security business, and create long term partnerships with professionals that have the trust, teams, scale, experience, and expertise to keep up. Your adversaries are working together—it’s critical that companies team up to defend themselves.

Lagniappe: Secure the Robots!
As our enterprises (and lives) become run by Industrial Control Systems (ICS & SCADA) that turn on and off our power, route our planes/trains/automobiles, dispense our drugs, deliver our food and water, mine our resources, and build our products-- the security of these ICS devices will become even more of a critical priority.

Sunday, December 1, 2013

No eCards PLEASE!

No eCards Please!

Thanksgiving, Chanukah, Christmas, Kwanza, New Years… tis the season for sending holiday cards to those we like, plus our family and business associates. And now more than ever, I ask you, Don’t Send eCards!

If you like me, are related to me, or work with me-- don’t send me one of those fancy eCards with pictures and characters that dance and sing, twerk and sparkle, or are just the wittiest thing you’ve ever seen. If you really like me, please send me a card that looks like this:

Tom.. I wanted to wish you a happy holiday. I deliberately chose not to link to a graphics site or add an unexpected attachment, so you would know that not only do I like you, but I respect you enough not to send you something that might be confused with malware.

Or for those that need to draw a picture as much as draw a breath, you might follow this tried and true graphic approach and add:







This season, just like last and the one before that, many millions of accounts will be used to send many hundreds of millions of malware-laden emails disguised as a holiday greeting. While some will still have ridiculous misspellings, bad grammar, and come from email accounts like , a vast many others will appear to come from your family, friends, and coworkers who have been duped into passing along this malware—and these will look real.

This years hot malware is much worse that last years’, as it is likely to carry the CryptoLocker ransomware, which encrypts all of your files and then demands a payment of $300 dollars to get the key. While we strongly recommend off-line backups like a thumb drive (since CryptoLocker also tries to encrypt automatic backup sites with some degree of success), it’s better just not to get infected in the first place.

Lets not make it any easier for the bad guys by clicking on anything with the word ‘Holiday’ in the title. Instead, send and receive just as heart-felt, just as thoughtful, and just as clever holiday greetings, but do it the old fashion way-- Use your words.

P.S. If you really want to stand out, you could go the retro look and use paper cards, stamps, and the Post Office!

Tuesday, November 26, 2013

Slowdown Healthcare.Gov

(This blog is completely apolitical, and is focused solely on the security and technology issues of the Affordable Care Act (ALA))

It’s almost the ‘end of November’, and it may seem counter-intuitive to some who have never run a large technology project before, but creating artificial deadlines like these and racing to the finish line runs counter to good security practices, and thus might do more harm than good in the quest to launch Healthcare.Gov

Imagine a programmer faced with this ‘end of November deadline’, and being pushed to get her new code checked in and functional. Is she going to take the extra time necessary to ensure that these most recent changes didn’t adversely effect the security policy? Or is she going to do a quick review and submit the code, because the “President of the United States” needs this to work by the end of November!

By all accounts, Healthcare.Gov is the work of many different parties, with many different bosses, aiming to do something great (I realize that might be political, but wouldn’t it be great if all Americans really could have good healthcare without our rates/taxes rising or our quality of care declining!) that has never been achieved before. And in order to achieve that greatness, it needs to capture, route, and hold much of our personal information (PII).

I’ve worked on the security of many a healthcare system, going back to President Clinton’s (ok, Mrs. Clinton’s) pet Healthcare Open Systems and Trials (HOST) project in the 90’s. The security and privacy of patient and insurance records was always the lynchpin in the system. Finding ways to keep patient information away from those that shouldn’t have it, yet available to those that need it, is not an easy concept to balance, and as an industry we’ve been working on the online version of that very equation for the past 20 years. In fact, Mrs. Clinton challenged us with her healthcare version of Star Trek’s Kobayashi Maru, the impossible test that needed to be cheated to win. We failed back then, because we couldn’t compromise on security.

The problem is much harder now than it was back in the 90’s, since much of what the Internet uses to protect itself-- system encryption, air-gaps, firewalls, and more—has proven to be childs play to a determined attacker, and the more hands involved in the process, the more gaps they are able to slip through. When there’s this much money at stake (the average medical or insurance record sells for over $50 bucks on the black market -- multiply that by the number of Americans!), there are some VERY determined attackers out there (criminals looking for money, foreign powers looking for the ability to destabilize, hacktivists looking to push their agenda).

So while the goal of creating this November line in the sand is commendable, in practice it is counterproductive. All these last minute changes WILL change the security situation, and SHOULD be given the time it takes to test every way possible. I have good friends desperate for this to work, as they aren’t able to buy real insurance any other way. But I’d rather have them is a safer system soon, than a rushed system that might compromise not only their information, but all others too, which will undermine the trust in the overall ALA program and put everyone’s healthcare at risk.

So Secretary Sebelius, please slow down. Mr. Zients, take your time. It’s more important to get it right. It’s really important.

Tuesday, July 2, 2013

What do you see when you gaze into the clouds?

When I was young, I would gaze up into the clouds and see white fluffy shapes against brilliant blue sky, floating gently across my sky. When I read and hear the 'cloud' ads these days, they seem to paint this same image in my mind-- just put your stuff in our cloud, and you never have to worry again.

Which is why I like this painting that hangs in my study by Howard Finster, "...a backwoods Baptist preacher inspired by the Gospel, visitations from the dead, and visions of extraterrestrial life."[1] Finster had a different way of looking at everyday things, and often provides more truth than a first glance reveals. While Finster painted this well before internet marketing types renamed their data centers as 'clouds', his view of the same clouds I looked at in the sky bears quite the similarity to what I see when I look at the current state of cloud computing.

While I love the fluffy whites and brilliant blues of today's cloud marketing hype, which include cost savings, elastic capacity, mobile leverage, and customer self-service, I see the technological equivalent of his angels and demons floating around happy and sad clouds, as well as hosts of other risks in and around that are all too real.

I love the benefits the cloud offers us all, and want to ensure we look clearly at what it takes to move our business or personal data into it, so those risks can be addressed and the benefits securely gained. Most board directors I talk with first see the fluffy side, and can't wait to gain all those advantages. Sometimes it's difficult to explain why they should integrate a cloud security plan into their transition, which lowers their costs and risks, when they don't hear or see about these risks in the airport posters. It turns out there are great new products available that can be used to establish manageable risk in the cloud, but it must be architected and planned before you throw everything up there. Advances in encryption and key management, audit-ability, constant vigilance, advanced threat detection, and more are all tools that can be brought to bear in the cloud now.

It's possible, but not automatic, to work more safely in the cloud that in your old data center!

Maybe if we all share the wisdom of Howard Finster that he saw and painted all those years ago, people will think about the true picture of the clouds today, and then take the available steps to paint their own picture.

[1] Howard Finster, Stranger from Another World: Man of Visions Now on This Earth by Howard Finster, Roger Manley (Photographer), Victor Faccinto (Photographer), Tom Patterson {no relation]