Saturday, December 28, 2013


In a time when many Critical Infrastructure companies around the world are feeling overwhelmed with stories of security threats from all sides, the year-end makes a great time to add a little perspective. So, based on my history in this space, plus the fact that my day job running CSC's global cybersecurity consulting business lets me talk to and help hundreds of executives around the world, I offer my perspective and what to watch for in 2014.

1. Incident Response Planning goes Mainstream
For every dollar spent on corporate information security, less than a penny has been spent on planning for the incident response. 2014 will see much greater board focus on the ability to respond to the seemingly inevitable incident, and that will drive advance practice and planning, and selection of your response team. Enterprises will stop being embarrassed by being attacked, and focus stakeholder attention on the efficiency of their response.

2. Big Data and Security meet at the SIEM
No matter how you define Big Data or how you pronounce SIEM (sim or seam), the evolution of these two tracks will combine to drive both your costs and risks down in 2014. Before, you had to know what to ask and how to interpret event data, but Big Data will change all that by analyzing everything and learning how to tell you where to focus. 2014 will be a year of teaching these systems how to be your eyes and ears.

3. Threats keep Evolving
More valuable stuff combined with even greater connectivity means that your adversaries will continue to evolve their threat vectors, creating ‘new and improved’ ways of stealing your stuff and disrupting your operations. 2013 gave us HumanMorphic APTs —2014’s crop will continue this dangerous trend.

4. Your Security Scope Expands
You thought your enterprise was hard to secure before, but in 2014 your security sphere is going to grow dramatically-- to include your suppliers, partners, and customers. It’s now your problem if they have an event, so helping them now helps you. Look for help from the White House in the form of EO-13636, and leverage lots of efficient ways to extend your security down.

5. Passé Passwords
While it will still be a few more years before Federated Identities lets you get out of the password business, 2014 will give you a lot of help in not needing to rely on them so much. Look for the best practices of the credit card and advertising worlds be brought to bear for enterprise access—where you know the user even before they log in.

6. Keys are the Key to the Cloud
Yes, you will move to the cloud, but it won’t be as scary in 2014 as it used to be, as long as you use the right architecture and always keep control of your encryption keys. Security becomes the enabler and new tech makes it easy to safely use efficient services like SalesForce and Dropbox, while keeping control of your environment in the clouds.

7. Smart Phones get Dumb Again
Your Bring Your Own Device (BYOD) plans have been held back, because your smart phones are too smart for your own good. Follow the latest trend toward using transparent virtual machines on these phones, turning them into dumb green screens when they access sensitive enterprise systems.

8. Transnational Crime becomes more concerning than Governments
2013 was the year of focus on what information governments are looking at, but in 2014 we’ll know that while many are looking (besides most governments, remember that social media ain't free, its a privacy tradeoff!), it’s the transnational criminals that are doing the worst things with it. And this will turn attentions from policy discussions to real security threats-- and how to stop them.

9. Shhhhhh! -- Securing your voice
With all the focus on securing the data, many enterprises are overlooking their voices. Between mobile eavesdropping on phones and cars, remote activation of microphones, enterprise VoIP, employee use of Skype, and even conference call numbers—your secrets are being talked about, and criminals are listening. Securing your voices will be as critical as the rest of your data, and luckily not any harder.

10. Quit It!
Squeezed between the increase in regulations, changes in technology, costs to hire, equip, and maintain security teams, greater governance, and increasing voracity and velocity of targeted attacks, companies will move to get out of their own security business, and create long term partnerships with professionals that have the trust, teams, scale, experience, and expertise to keep up. Your adversaries are working together—it’s critical that companies team up to defend themselves.

Lagniappe: Secure the Robots!
As our enterprises (and lives) become run by Industrial Control Systems (ICS & SCADA) that turn on and off our power, route our planes/trains/automobiles, dispense our drugs, deliver our food and water, mine our resources, and build our products-- the security of these ICS devices will become even more of a critical priority.

Sunday, December 1, 2013

No eCards PLEASE!

No eCards Please!

Thanksgiving, Chanukah, Christmas, Kwanza, New Years… tis the season for sending holiday cards to those we like, plus our family and business associates. And now more than ever, I ask you, Don’t Send eCards!

If you like me, are related to me, or work with me-- don’t send me one of those fancy eCards with pictures and characters that dance and sing, twerk and sparkle, or are just the wittiest thing you’ve ever seen. If you really like me, please send me a card that looks like this:

Tom.. I wanted to wish you a happy holiday. I deliberately chose not to link to a graphics site or add an unexpected attachment, so you would know that not only do I like you, but I respect you enough not to send you something that might be confused with malware.

Or for those that need to draw a picture as much as draw a breath, you might follow this tried and true graphic approach and add:







This season, just like last and the one before that, many millions of accounts will be used to send many hundreds of millions of malware-laden emails disguised as a holiday greeting. While some will still have ridiculous misspellings, bad grammar, and come from email accounts like , a vast many others will appear to come from your family, friends, and coworkers who have been duped into passing along this malware—and these will look real.

This years hot malware is much worse that last years’, as it is likely to carry the CryptoLocker ransomware, which encrypts all of your files and then demands a payment of $300 dollars to get the key. While we strongly recommend off-line backups like a thumb drive (since CryptoLocker also tries to encrypt automatic backup sites with some degree of success), it’s better just not to get infected in the first place.

Lets not make it any easier for the bad guys by clicking on anything with the word ‘Holiday’ in the title. Instead, send and receive just as heart-felt, just as thoughtful, and just as clever holiday greetings, but do it the old fashion way-- Use your words.

P.S. If you really want to stand out, you could go the retro look and use paper cards, stamps, and the Post Office!