ISSA International Blog
At the International Conference in Chicago
Day One - October 12, 2015
Editor in Chief of The Security Ledger follow him on twitter @paulfroberts
Google Evangelist Vint Cerf: Incentives Needed to Secure Internet of Things
Cerf, who helped design the Internet in the 1970s, said that more incentives are needed to push private sector firms to prioritize security in connected products.
Private sector firms need more and better incentives to secure their products, including connected devices that populate the Internet of Things, Google’s Chief Internet Evangelist, Vint Cerf, told an audience of information security professionals in Chicago on Monday.
Speaking at the International Conference for ISSA, the Information Systems Security Association, Cerf said that rapid expansion of software and Internet connectivity has drastically raised the stakes for software failures. However, firms making technology products have few incentives to invest in security that limits those risks.
Considered one of the ‘fathers’ of the Internet, Cerf was a professor at Stanford University in the early 1970s when he and Robert Khan designed the Department of Defense’s TCP/IP protocol suite – the foundation for communications protocols that are the lingua franca of the modern Internet.
Four decades later, Cerf argued that the fantastic success and spread of the Internet has changed the ground rules by which software engineers and technology firms play. "It all starts with buggy software,” he said in a keynote address to ISSA’s members. "Programmers got away with a lot in the past. You could say ‘software is complicated. It has bugs. It’s not our fault.'”
No longer. The advent smart cars and machinery that are powered by software raises the stakes for bugs and other faults in that software, making them more akin to features like seat belts that are mandated by federal law and whose use is enforced or encouraged at the state and local level. A similar approach might be taken to force improvements in software quality and security, Cerf said.
"It could be that bad software production has consequences at some point and that change is forced on us because of safety and privacy questions,” he said.
Cerf identified many levers that could be used to force that change. Increasing the liability for bad software might increase the cost of failure and divert more resources to security, he argued.
"The role of liability and law is to make people do something other than they might do,” Cerf noted. Still: liability is still not a well formed notion in the context of software failures.
Requirements for cyber insurance might also be a market-based way to force more uniform security practices at organizations. But, Cerf noted, "insurance doesn’t prevent vulnerabilities.”
On the technology side, Cerf said that hardware reinforced security that pairs secure elements contained on processors with software applications designed to take advantage of that hardware is another option. Google is experimenting with such a model with Project Vault.
Broader use of existing technologies like two factor authentication and realtime logging, monitoring and auditing of hardware and software will also help.
To date, however, Cerf acknowledged that progress on security has been slow, even as the number of connected devices populating our homes and workplaces has grown rapidly, creating concerns about both the security and integrity of critical systems such as connected vehicles and medical devices.
Going forward, Cerf said more attention needs to be given to both security and manageability of devices during their design. Features common in the software world, such as over the air (OTA) updates will be needed to keep deployed devices up to date and secure. At the same time, better tools will be needed to validate software updates to avoid compromises or faulty patches.
Asked about the wisdom of laws such as the Digital Millennium Copyright Act, which has been applied to prevent customers from tinkering with firmware that runs connected vehicles and machinery, Cerf said he and Google advocate open source software as a way to foster a culture of security and transparency. "At Google, we’re finding great benefits in making software open,” he said.
Beyond that, companies that are designing and selling connected devices need to have a clear plan for supporting that device over the long term or, alternatively, making clear to potential customers that the device will not be supported and updated in perpetuity.
"Clearly we have to think our way through this. We have to ingest this,” Cerf said. "The alternative is that we will have more and more unsafe devices over time.”
- Paul Roberts, 10/12/15
Risk Managers: Beware the Buried CISO
Companies that bury their chief security officer in the corporate org chart may pay a price, security executives warn
Fifteen years ago, the role of Chief Information Security Officer (CISO) was a novelty – a funny kind of role that didn’t sound quite right in your ear. Today, however, it is a different story. CISOs are fast becoming the norm at companies of all sizes and across industries.
Alas, simply having a Chief Information Security Officer on staff isn’t enough. As a panel at the ISSA International Conference in Chicago explained: where companies choose to situate their CISO in the corporate hierarchy is just as important as creating the position to begin with. In fact, the stationing of a CISO can unknowingly communicate a lot about the security posture of the organization she works for.
The CISOs and senior security advisors represented firms from diverse industries, including manufacturing, finance, government as well as high technology. Still, there was broad agreement that chief security officers played a critical role in helping senior decision makers understand the cyber risks that confront their business.
That’s a welcome change from recent history, when security conversations were more often dominated by inchoate "FUD” (or fear, uncertainty and doubt).
"I’m seeing a refreshing trend among our customers which is that security practitioners are trying to surface risk to business decision makers before they make decisions about mitigations,” said Tim Rains, the Chief Security Advisor at Microsoft’s Worldwide Cybersecurity Business Unit.
Often that means connecting the dots between arcane technical issues and the priorities that a corporate board of directors or C-level executive can understand. "It’s helpful to be able to speak in analogies,” said Oracle’s Chief Security Officer Maryann Davidson. "You have to be able to say ‘this is like that’ and put the issue in terms someone can understand…If its a problem with a product, they need to understand how it can put the business at risk.”
Despite that critical role, however, panelists agreed that there was little consistency to the Chief Security Officer role and that how a particular company scopes the position can say a lot about its attitude towards security.
"The place of the CISO tells a story,” said Rains. "They’re the person responsible for security, so where are they in the organization? Where do they get their funding? Who do they get their marching orders from?”
Rains said that, from his vantage within Microsoft’s Cybersecurity Business Unit, he gets all different answers to that question. "You see different organizations with different levels of maturity. CISOs and their equivalents report all over the place.”
Some of those arrangements are – admittedly – "very strange,” Rains admits. More commonly these days, however, he is seeing the CISO position gravitate towards the risk function within organizations such as the legal department and corporate affairs, he said.
For smaller firms, however, chief security officers still need to occupy a more central position in the organization while wearing lots of hats. Dave Sandersen the Global Security Director at Trek Bicycle Corp. said he is responsible for both logical and physical security at the company – which ranges from overseeing the security of Trek’s facilities and critical IT assets to complying with the Payment Card Industry Data Security Standard and managing the security of point of sale bike rental stations in and about Chicago.
If nothing else, CISOs need to take ownership of their organization’s long-term security vision and strategy: trying to address security in a holistic and effective way rather than merely stamping out fires or reacting to the latest security threat.
At Texas.gov, CISO Tim Virtue said that has involved restructuring the organization’s security team to push security considerations earlier into the design and development phase. Specifically: the company has placed dedicated security engineers within agile development teams to make sure security issues are raised and solved early in the development cycle.
At Microsoft, it has meant designing and promoting the company’s Secure Development Lifecycle (SDLC) methodology and tools out to thousands of developers working for the Redmond, Washington firm. "We recognized that not everyone in our organization has the aptitude to do security work,” Rains said. "So we gave them a repeatable process and set of tools to support them.”
The challenge going forward, participants agreed, was to foster secure behaviors throughout the software industry and the technology sector in general: influencing everything from the work at hot, crowd funded startups to the way that undergraduate computer science and engineering courses are taught.
"What we need as industry is for a lot of this to percolate down to innovative startups, so they can say ‘we’re going to do these things that are really interesting, but also secure,’ and also for it to percolate back into the university so we can teach students how to develop securely from the very beginning.”
Paul Roberts - 10/12/15
Day Two - October 13, 2015
Sean Martin, CISSP, is an information security veteran of nearly 25 years with articles covering security issues published globally.
The Need for a New Security Fabric - Specifically for a World Filled with IoT
The Internet of Things (IoT) and the rest of the world’s already-connected devices pose a serious cyber risk to our personal, corporate, and national interests. We thus need to weave a new fabric of security if we are to ensure security, privacy, and safety in an always-connected world.
The 2015 edition of the ISSA International Conference in Chicago brought together some of the top minds in technology and security. The conference team packed the agenda with tremendous content and ran the event flawlessly. Still, two days was not enough (it never is) to cover everything we face in this crazy world of cybersecurity.
Vint Cerf, Chief Internet Evangelist for Google and co-inventor of the Internet, carefully selected and then delivered the following as his opening remark for his keynote during the conference: "We are losing the battle against security and safety.”
During an interview following his own keynote the next day, Dan Geer, CISO at In-Q-Tel, also shared his position on the state of cybersecurity: "We are better than yesterday,” said Geer. "But are we moving fast enough?”
Both luminaries indirectly spoke to the concept of a race for safety. And based on information presented to the ISSA attendees by Demetrios Lazarikos (Laz), CISO for vArmour, it seems we need to race a little faster as 2020 appears to be a big year looming on the cyber horizon.
"Trends show that we have a significant technical advancement in mobile devices roughly every 10 years,” said Laz, as he presented the following milestones:
1980 – analog
1991 – digital
2001 – packet switching
2010 – IP technology
2020 - ????
One might wonder what will we see in 2020.
"Gartner claims we will have 25 billion connected "things” in use by 2020,” said Laz, answering the question that, presumably, the audience collectively shared.
Before we can prepare for what is likely an inevitable event, we must first understand where we are now and how we got here. Additionally, to get a sense of the magnitude of this event, which probably won’t be an actual "event” but rather a series of building activities, we must first recognize that the situation all starts with our 20 to 30-year-old data centers that were built with a reliance on perimeters and carefully segmented as a means to achieve security and compliance.
"One of the major challenges we’re faced with today is that these data centers have been protected by legacy security tools that don’t meet the digital and connected business requirements of today,” said Laz. "Certainly, these data centers can’t withstand what the future holds for them in 2020. The perimeter is gone in this new world—enterprises are embracing cloud, mobile, and IoT at lightning-fast speeds.
"How can these emerging solutions be protected when organizations are working with deeply-entrenched legacy security solutions?” asked Laz.
Of course, the introduction and widespread use of the cloud and the other aforementioned technologies has changed how our data centers look. "We are now using systems owned by others and sharing data with others we may not even know exist in the ecosystem—both of these situations introduce risk to the business,” added Laz.
As we grow, extend, acquire, and leverage third-party services, we lose even more control over our systems and our data. The common use of multiple data centers only exacerbates the problem. The challenge with protecting our privacy and safety in an always-connected world consisting of billions of devices doesn’t stop at the datacenter.
Think about the traditional product life cycle. Products are constantly re-defined and delivered to meet new business requirements. When the product tires and expires, it gets replaced with an updated version.
Today, however, products get delivered and soon become "smarter” products, meaning these physical devices take advantage of some type of software application with a user interface to use and/or manage it. Since they are "smarter,” they have a need to learn, so they quickly become smarter connected products, designed to collect and share a massive amount of data from and with other devices and technologies.
Assuming these smarter, connected products need to work with other same/similar products— and therefore require some sort of management and maintenance—they need to also become part of a product ecosystem. Of course, most products today have smart, connected, ecosystem-enabled versions straight out of the gate.
Take a medical device for example…
Product (insulin pump) => Smarter Product (pump with a mobile app) => Smarter Connected Product (exchanges dosage information with the doctor) => Health Integrated System (dosage information shared with the rest of the healthcare ecosystem)
Image Source: vArmour
"Medical devices have grown into really powerful solutions that can track personal and healthcare information,” said Laz. "These devices communicate through multiple ecosystems, connecting and communicating with both traditional networks and cloud environments.”
This same model can be applied to automobiles, homes, office buildings, and even a city infrastructure—the electrical grid, street lights, water supplies and more can all be smart and fit into a larger IoT ecosystem.
"When we look at how individuals and organizations have embraced IoT solutions for the past three years, we can clearly see that IoT-enabled technologies are here right now,” said Laz.
"Automobiles allow us to review how and when the next maintenance schedule should be met while also receiving targeted playlists through a personalized choice of music providers. Home automation has also increased, allowing users to remotely control almost every aspect of the home, right from a tablet or a smartphone.”
With so many use cases brewing, organizations are racing each other through this digital transformation by leveraging a plethora of emerging IT technologies; systems that integrate physical, virtua,l and cloud technologies are connecting things in ways like we’ve never seen before.
Individual users and organizations alike are tying together different IoT ecosystems and connecting them to legacy network environments without fully understanding the consequences of such an activity. Sadly, in most environments, information security has been an afterthought when deploying these new technologies, leaving a mound of risk.
"What challenges and risk do you face if you have 200 IoT devices at your current home and decide to move into a house that already has 200 IoT devices?” asked Cerf, looking at a personal example of this situation. "Imagine for a moment having to re-configure all of the connections—and manage security—for each and every one of these devices, old and new. Also consider having to complete this activity before one of your neighbors lends a not-so-helping hand—configuring your IoT system using their own preferred settings.”
"It’s extremely easy to hack these IoT devices,” said Tony Gambacorta, VP of Operations at Synack, during his session at the ISSA conference. "Sure, you’ll need to be prepared to fry the first device on which you attempt your hacks aimed at monitoring signals that represent data entering and leaving the device. But you’ll be more careful the next time and will almost certainly succeed in your hack,” he assured the audience.
With a successful hack of the device, it could be rooted and malicious code installed that communicates with a command and control server outside the network; then on to sniffing around to find the really good stuff—the data.
"We are not in a good state to measure how well people have implemented security,” said Cerf, speaking both to the individuals who use these devices and the companies that provide the systems and devices. "Unless there are incentives for doing the right thing with respect to security, we'll continue to lose the security battle,” he added.
What happens when something does go wrong with the IoT?
"We are going to need the equivalent of a cyber fire department for the public to turn to during a cyber fire,” said Cerf, caveating that the analogy isn’t a perfect 1:1 match. "While this is good in theory, we can’t really have a business calling in a cyber fire for its top competitor. The cyber fire department’s response could take that competitor offline while the "helpful neighbor” reaps the rewards.”
Nonetheless, we need something like the fire department to address this need.
As with most things security, it’s not just the incident that matters; it’s the data that gets compromised while sitting on and traversing these devices, ecosystems, and networks when the incident occurs. "Access control to data is key,” said Cerf. "You must define who gets what, for how long, how often, and specify whether or not they can pass their access on to others.”
However, as more and more data gets pumped around this massively complex environment, we can’t limit our data protection measures to privacy alone. During his keynote, Cerf said "Toomas Ilves, the president of Estonia and a good friend of mine, is much more concerned with data integrity than he is with data confidentiality.”
Geer holds a similar position, reserved mainly for today’s youth: "I expect that for the younger generation, privacy will fade and integrity will become extremely important,” said Geer, noting that today’s youth post personal stuff all over the Internet and don’t care who sees it.
Since a medical record that’s changed through a hacked insulin pump could be devastating, we need to deliver a system that not only protects data from unauthorized access and theft, but also from manipulation.
In summary, regardless of what the infrastructure looks like underneath, if we truly want a secure, private, and safe always-connected world, we must begin to collaborate with each other. This will help all of us find our own security thread to weave into this thing we call the Internet of Things.
Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with articles published globally covering security management, cloud computing, enterprise mobility, governance, risk, and compliance—with a focus on specialized industries such as government, finance, health care, insurance, legal, and the supply chain. View Sean’s profile on LinkedIn: www.linkedin.com/in/imsmartin/.
Editor in Chief of The Security Ledger follow him on twitter @paulfroberts
As Online Scams Proliferate, A Call for Security Awareness
Funds transfer scams and crypto malware scams are proliferating in an environment of low security awareness.
Worse: there is little recourse for victims once the money is gone, according to experts.
A lack of security awareness within organizations is contributing to a rising tide of funds transfer scams that are draining corporate bank accounts, according to an expert presentation at the ISSA International Conference.
Experts from the law firm ICE Miller LLP said on Monday that cyber criminal groups are carrying out a wave of funds transfer and crypto malware scams against U.S. companies – many of which are never reported to law enforcement. Even worse: victims of the attacks have little recourse once the money has been diverted.
At the root of the problem is a dire lack of security awareness within the ranks of U.S. firms, which is allowing malicious software including Trojan horse and crypto malware programs to get a foothold in corporate environments.
Employees at such firms regularly fall victim to generic phishing e-mail messages claiming to be receipts for shipped packages, purchase orders and other ruses, said Nick Merker, an associate at ICE Miller, which aids companies that have been victimized in the attacks. Getting employees to click on malicious links or open malware laced e-mail attachments is the first step in scams that may ultimately target a company’s payroll system or opportunistically scramble the contents of hard drives and hold the data ransom, Merker said.
Companies that are able to clear that low bar still face the threat of so-called spear phishing messages that are targeted at individuals within the company. Such messages often purport to come from employees or executives within the company or from trusted business partners and mention employees or product names that make them difficult to distinguish from legitimate correspondence.
The most sophisticated of these targeted attacks are the product of planning and research. ICE Miller claims to have seen funds transfer scams that are timed to the day of a house closing, using e-mail messages to instruct home buyers to wire money to an account controlled by the scammers.
Other attacks might even come by way of a compromised third party business partner or customer using a compromised e-mail account and tapping into an existing message exchange between the compromised party and the target, said Nicholas Reuhs, an ICE Miller associate whose specialty is helping firms recover stolen funds.
Unfortunately, there is no silver bullet solution for firms facing such threats. So-called drive by download attacks that plant malware like Cryptowall or Cryptolocker on employees computers can come from legitimate web sites thanks to malicious ads (or "malvertising”) attacks, which have spiked in recent months.
Training that familiarizes employees with "red flags” that might appear via e-mail or social media can make it possible to prevent attacks, the attorneys from ICE Miller said. Companies that haven’t already should deploy e-mail gateways that can flag messages whose content or origins are suspicious and establish and enforce clear protocols around high-value transactions like funds transfers, requiring in person or phone based approval.
For companies that are the victim of a fraudulent wire transfer, speed of is of the essence said Reuhs. Firms have anywhere between 24 to 36 hours, working with their bank, to recall transferred funds, which are typically parsed out through a web of intermediary institutions in the U.S., the U.K. and then to accounts in less regulated banks across the globe.
When funds can’t be recovered, insurance claims and lawsuits are often the last resort for companies that wish to recoup at least a portion of what was stolen. But the market for cyber insurance is still in its infancy and insurers willingness to pay out will hinge on the exact type of coverage a company purchased and the "small text” of the policy, expressed as exclusions, the attorneys agreed.
Generally, the risk of such scams is borne by the customer in cases where the bank has taken "commercially reasonable” steps to secure its infrastructure. That’s a vague term and there have been some recent cases that have tested banks’ claims that their security was reasonable. Still, clawing back stolen funds directly from the criminals is a surer bet than using litigation to argue with your bank about whether its security was reasonable, Merker said.
Paul Roberts - 10/13/15
For Threat Intelligence, Expert Advises Companies Roll Their Own
Threat intelligence is the new hot product category in security. But one prominent cyber investigator suggests companies would do well to leave premium services on the shelf and roll their own, instead.
The information security industry is notoriously subject to fads – and there have been many over the years. Intrusion detection and prevention was everybody’s silver bullet of choice a decade ago. Then it was network access control (NAC). Then data leak prevention. Application whitelisting, application firewalls and security information and event management (SIEM) "dashboards” had their moments in the sun, too.
Some of this is by necessity. Bad guys (for lack of a better term) are a constant irritant in the information security world. And, because they keep doing things differently, the market has had to keep adapting to new methods and attack types. Besides, most of those "fad” technologies didn’t fade away like the Pet Rock. Rather, they were adopted – if not universally- and have now become part of multi layered defenses in use at many firms.
The latest "hot technology” is notable, however, for not being a technology at all so much as an information product. I’m talking, of course, about "threat intelligence,” a vague term that encompasses everything from data on new malware variants and botnet command and control nodes to dumps of leaked or stolen corporate data, to profiles of cyber criminals and Chinese Army regulars who are behind sophisticated offensive operations online.
The hunger for threat intelligence is a predictable outgrowth of the shift in focus among companies from undifferentiated- to targeted cyber attacks, often directed at a small number of firms in a particular industry, or at a single company. If you understand an attacker’s motives and method, the thinking goes, you can spot nascent attacks before they become serious or take steps to protect critical assets ahead of time.
While that may be true, companies need not spend tens of thousands of dollars on subscriptions to threat intelligence feeds. In fact, they may be better off constructing their own feeds using open source intelligence, rather than relying on costly subscriptions from threat intelligence vendors.
That was the message that attendees to this year’s ISSA International Conference in Chicago heard from Jeff Bardin of the security firm Treadstone 71. Speaking on Tuesday, Bardin – an NSA veteran - said that threat intelligence gathering is a critical function and can be invaluable in understanding an adversary in both kinetic and online warfare. But, done right, intelligence gathering is both time consuming and expensive, requiring the creation of elaborate false fronts and personas, as well as an extensive intelligence gathering and analysis function to process the data collected.
Simply put, most companies offering threat intelligence services today don’t meet that standard and, as a result, the quality of the information they sell is low.
"You have a lot of companies who are coming from a defensive posture, and they’re not good at it,” he said.
Likening the worst among them to "cyber carpet baggers,” Bardin said that companies considering purchasing a threat intelligence feed from a third party should be prepared to ask hard questions about where the company gets its intelligence data, how confident it is in its accuracy and what gaps exist in the intelligence they are selling. Murky answers to those questions or a lack of transparency are red flags, he said.
An alternative to premium intelligence feeds is simply for companies to collect their own threat intelligence using what Bardin refers to as "passive intelligence collection.” Rather than expending valuable corporate assets building fake personas online ("sock puppets” in Bardin’s nomenclature) or trying to infiltrate hacker forums, Bardin advocates gathering information using simple web searches and social media crawling to help understand the groups or individuals who might be targeting your firm.
As an example, Bardin noted that even high profile hacking groups, like the Syrian Electronic Army, have extensive online profiles on sites such as Facebook and the Russian social networking site VK.ru, LinkedIn and others.
Bardin has compiled extensive dossiers on groups like the SEA and Anonymous and says that monitoring their communications and social networks online can help tip off investigators to ongoing or planned cyber actions.
Still, threat intelligence gathering isn’t something that should be pursued in a haphazard fashion. To the contrary, any foray into threat intelligence gathering needs to be considered as part of an overall strategic plan for security including the articulation of standard operating procedures that must be followed. "You need a vision and a mission,” Bardin said. "You need to define the objectives and the priorities that the intelligence will be used for. You need to know what metrics you will be gathering and how you will apply them. You need to define clear rules of engagement,” he said.
As for where to focus threat intelligence gathering efforts, Bardin recommended that companies start by reviewing the output of existing security tools such as firewalls, IDS sensors and email gateways. Compiling a list of web domains and IP addresses behind attacks on your organization can provide a roadmap to groups that are after you. That, in turn, can be a starting point for an investigation into the individuals and groups behind those attacks.
Paul Roberts - 10/13/15