Moving from Hacker to Threat Actor/Adversary

There is a subtle shift in the Information Security landscape that I first noticed a few years ago and seems to be gaining momentum.  The shift is moving from the profile of a “Hacker” to a more substantiated one of a Threat Actor or Adversary.  I agree it sounds like hype and without substance but let me explain further.  A Hacker is an vague term created in the early 70′s to describe people who exploited weaknesses in phone systems aka phone phreaking.  John Draper aka Cap’n Crunch has been immortalized in security folklore for his exploits as a phone phreaker.

Fast forward 40 years and now we still have this term “Hacker” but it now is an all-compassing, amorphous term to describe cybercriminals, state sponsored threats, insider threat, hactivists etc much the same way as the term Virus became an umbrella term for every piece of malicious software.  The term Hacker has been popularised by the media and is now synonymous with cyberattacks, whatever the motive, whatever the method, whomever the perpetrator(s).  The problem is a simple one.  If you are an organisation trying to build your defences against cyberattacks, one of the most fundamental questions you need to start with is “Who would/is trying to attack us?” If you answer with “Hacker” that doesn’t help very much and from this starting point, most organisations attempt to build their defences.  As Sun Tzu’s famous quote goes “If you know your enemies and know yourself, you will not be imperiled in a hundred battles… if you do not know your enemies nor yourself, you will be imperiled in every single battle”

A thorough threat analysis needs to include threat profiling.  This process is not an attempt to profile every single threat actor/adversary you may face, that’s an impossible task but who are your most likely threat actors? Are they cybercriminals looking for credit card/personal identifiable information? Are they state sponsored threat actors looking for financial/intellectual property as your organisation does alot of business with that state? Or are they hactivists looking to make a political statement due to your organisations business model?  Some organisations like Crowdstrike specialise in this kind of profiling may give you further information to sharpen your threat profile of possible threat actors you may face.  The psychological benefit is now you start to have an idea of who the enemy is, it gives form to the amorphous construct of a hacker and I believe from that standpoint, allow you to build your cyberdefences to better cater for attacks.

Threat profiling on it’s own is not sufficient, it needs to be a part of a comprehensive risk management process as a subset of a continuously improving and developing information security program.

Posted in Uncategorized | Leave a comment

Do we need a new approach to IT security? – No

2014 has started out badly in terms of data breaches, over the new year period the Target US breach was disclosed followed closely by Neiman Marcus, this is on top of the continuing Snowden revelations about the activities of the US’s National Security Agency.  All this has added to the already loud beating drums of IT Security experts calling for a “new” approach to IT security or a “new” security framework to meet these new demands.

Our current risk and security model places emphasis on rigorous and comprehensive risk management, identifying assets and prioritising planning and mitigation on critical assets and what’s left over is acceptable risk to an organisation.  During this process mitigating controls are identified and are deployed in an overlapping, layered defence in depth technology architecture.  This is a lifecycle or process whereby an organisation plans the design of their information security system by assessing risks and controls, implements the controls, continuously monitors the performance of the system and then acts on   changes that are required.  The process is iterative and never a static, point in time snapshot.  The approach, say the experts is not effective against the new and ever changing threat landscape, industrialisation of hacking, advanced persistent threats, advanced malware and so on and so on.  But pragmatists amongst us are skeptical and for good reason.

Firstly, collectively we’ve done a poor job of the current approach.  Every breach I’ve read about or analysed has come about by a failure on the part of the organisation to at times implement basic security practice combined with some smart work by the attackers.  Let’s take Target for instance, if reports are true then proper management of 3rd party contractors and basic network segmentation of what 3rd party contractors have access to on the network may have stopped one of the largest breaches of credit card and personal identifiable information.  I accept that for an organisation the size of Target it’s a difficult thing to do but again, that’s a failure of resources, planning and executive support as opposed to a broken approach to IT security.  Secondly, there is no “new” approach or “new” model or “new” framework.  In 2014 there is rarely anything that’s new, it’s usually a rehash or an emphasis of the current approach or technology masquarading as an approach.  A threat centric approach where the emphasis is on the likely threats to the organisation? An active defence approach where profiling the threat actors to your organisation and moving from a defensive posture to an offensive one? Neither are new but just an emphasis on the threat analysis and a different mitigating control.  Lastly the call for a new more innovative approach lacks understanding of the scope of innovation.  Innovation means new or improved approaches to meet changing requirements, I think where so-called security experts get lost is neglecting to improve the status quo and often go looking at new technology as a panacea.

My recommendation to organisations is assess your current information security approach and ensure that it adequately meets the requirements of your organisation.  Standards such as PCI DSS, ISM (Australian Federal Govt), State Govt standards, Privacy Law amendments are a good start but beware as no one standard or best practice methodology will fit your business “off the shelf”.  Each organisation has it’s own unique requirements and objectives it aims to achieve so ensure whatever information security approach it takes is flexile enough to fit the current and future direction of the organisation.

Posted in Architecture/Framework | Leave a comment

Leadership and Inspiration in business

Inspiration and the ability to inspire is a well used concept that’s thrown around in business.  Every leader aspires to it, every manager claims it but what is it in it’s true form and is it even possible in business?  Whenever I get asked what is inspiration I like to use a quote from Patanjali who is credited as the author or compiler of the Yoga sutras.  Patanjali on inspiration;

“When you are inspired by some great purpose, some extraordinary project, all your thoughts break their bonds: Your mind transcends limitations, your consciousness expands in every direction, and you find yourself in a new, great and wonderful world. Dormant forces, faculties and talents become alive, and you discover yourself to be a greater person by far than you ever dreamed yourself to be.”

Now isn’t that something? Who would even think about business when reading something like this?  Well I think it’s possible, not every hour of the day, every day of the year but if you view it from the prism of a process or a continuum where on one end of the spectrum you are inspired then it’s absolutely possible.  I’d take it a bit further and say that through contact with others is the quickest and easiest conduite for the inspiration process.  We’ve all felt it, when you’re with someone or a group of people and collaborate on something, get engaged in the process and voila! you feel inspired.  I think there are other precursors to the inspiration continuum as well, insight or awareness being a key element.  Insight or awareness can be defined as a patterning or organising of the perceptual field ie, how we perceive our environment, so that things that are not readily apparent, become clear.

So to summarise from a business perspective, inspiration is transcending of your perceptual field where things that aren’t readily apparent become clear and people, processes and technology, forces that may have been dormant, become alive.  Inspiration becomes possible when you surround yourself with like minded people, engaged and focused in a common direction.  A leader facilitates this process, bringing people together and encouraging collaboration, creating the conditions for inspiration to flourish.  This being said, leadership and inspiration are synonymous and one cannot exist without the other.

Posted in Leadership | Leave a comment

A field centric view of IT security

A new study by ISACA released yesterday shows that organisations deploying traditional security controls such as anti-malware and firewalls are susceptible to attacks that circumvent these traditional controls.  The author of the study, David Lacy rightly points out that new attacks are very sophisticated in nature even if their objectives are as old as civilisation itself.  The delivery method is also unsophisticated, usually a spear phishing email to an employee(s) who the attackers use to get a foothold into the organisation. Lacy goes further stating organisations are unprepared for these attacks and attitudes need to change, organisations need to deploy more modern defences to outwit the attackers.  So far so good but unfortunately where the article falls short is the lack of discussion on architecture and frameworks.  How do organisations deploy these new controls going to effectively defend their organisations?  How do organisations make the correct decisions on what type of controls to deploy?  The fundamental downfall of the article is the sole focus on technology as if were some kind of panacea.  Technology is not the answer to modern, sophisticated attacks…it’s only part of it.

We’re currently in transition from the traditional controls like anti-malware, firewalls, web and email gateways, encryption etc.  It’s true that these alone are not sufficient and organisations like Imperva, Bromium, Cylance, Crowdstrike and FireEye bring solutions to the market that can complement traditional controls using unique technology.  In the case of Bromium, a micro-visor approach built upon Intel and AMD’s chip hypervisor technology, brilliant stuff.  Or FireEye who popularised the dynamic sandbox where executables files run in a virtual sandbox, before a decision is made as to whether it’s malware or not, again excellent stuff.  However these controls in isolation will not suffice and what we need is the other part of the equation, a robust technology architecture governed by a thorough risk management program.

We need to take a field centric view on security, one that views the risks and threats to an organisation as a whole, rather than reducing it to individual parts.  A field centric view is a holistic approach, utilising risk management as the governing mechanism to assess an organisations security posture and engaging the business part of the organisation to adequately support and fund it’s information security management system.  From there it maps to an organisations business and technology architecture, how is security and underlying controls going to support this?  Building a strong security technology architecture is key to meshing security controls, both traditional and modern into a tight, overlapping framework that strengthens each control.  Deploying new technology as a security panacea will surely fail as history has shown us.

Posted in Uncategorized | Leave a comment

Add Adobe to the growing list of companies who got pwned by Hackers

Adobe has this morning posted that they’ve been hacked with Chief Information Security Officer Brad Arkin notifying customers that customer names, addresses, debit/credit card numbers (albeit encrypted) and most worryingly source code has been stolen by unknown attackers.  What’s worrying about the source code piece is I expect you’ll see zero-day exploits around Adobe products, which have a massive footprint, think Adobe Acrobat, Reader, Flash etc.  Adobe haven’t released any details of the hack but you can bet that the attackers have been most likely in the Adobe network for weeks if not months, leveraging an unknown exploit, delivered via a spear phishing email to an Adobe employee.    Who the attackers are is an intriguing question.  They’re obviously skilled and well funded as I would expect Adobe has a strong information security management system.  The fact the attackers got source code means they were most likely embedded deep within the Adobe network and most likely for months.

What the Adobe attack shows is that a large organisation, even well funded, well resourced like Adobe can be susceptible to a simple spear phishing attack leveraging an unknown exploit.  Regardless of the resources of Adobe it’s the complexity of a large organisation that makes it so difficult to defend.  As the old security saying goes “Complexity is the bane of information security” the more services you have running on your systems = more opportunity for more exploits.  The more employees you have = more opportunity for spear phishing.

One thing large organisations can do is to deploy a “Red team” within their own networks to hunt down would be attackers, much like most countries deploy counter-espionage teams to catch spies.  The Red team would actively probe, actively hunt down attackers on their organisations systems by doing similar activities to what the attackers would be doing.  The interesting dilemma is what to do if the Red team has discovered an attacker?  Is it enough to lockout the accounts they’re leveraging? Or perhaps identify who they are and where they come from? If you just lockout an account the attacker will most likely just try again, using another exploit, targeting another user.  If you identify the attacker it gives you more information to make a more informed decision, is it a competitor? If it is then perhaps feed them disinformation.  If it’s a nation state then call in the authorities.  One thing is clear, if you are a large organisation with something of value, whether it be credit card, intellectual property or connected to another organisation an attacker wishes to get to, then you will be a target.  Deploying proactive defensive measures needs to be something to consider to add to your information security management system.

Posted in Industry news | Leave a comment

The shrinking security market

Cisco’s acquisition of Sourcefire for 2.7 billion dollars announced yesterday has been game changing on two fronts. For Cisco it’s revived their network security story and signalled to the market that Cisco is dead serious about becoming the number 1 security vendor in the industry. With Sourcefire they add an industry leader in Network IPS, a burgeoning NGFW & FireAMP, Sourcefire’s advanced anti malware platform. There is also good synergy between both organisations too with both being network security focused and the success or failure of the acquisition will depend on how well and how quickly Cisco can integrate Sourcefire both organisationally and solutions wise.

The second front is the rationalisation of the security market with Cisco’s announcement following McAfee’s earlier acquisition of Stonesoft to bolster their network security portfolio. Most analysts are predicting the larger infrastructure vendors such as Cisco, HP, IBM and Dell to be active on the acquisition trail. In my view this is a good thing for the industry, there are too many, albeit good point solutions that may work we’ll in isolation but is too complex and costly when viewed from the prism of security technology architecture. Complexity really is the bane of security.

So who are the vendors who will profit most out of this rationalisation? Well the three I’m betting on are Cisco, IBM and McAfee. All are architecture focused, looking at building frameworks or platforms which to some degree are open using published API’s. All have a strong portfolio of solutions covering network, identity and threat management although McAfee would have to be the leader in terms of having an integrated solution set through its Security Connected platform. All three are acquisition hungry and savvy, having built their solutions both organically and through acquisition. IBM and Cisco have a natural advantage having a heavy footprint in organisations via its other solutions but McAfee are leveraging their parent, Intel to narrow this advantage.

By no means am I discounting the Symantec’s, Checkpoint’s and Trend Micro’s of the industry, I just think the aforementioned big three’s focus on platform and architecture will stand them in very good stead over the next 2-5 years in the industry.

Posted in General, Industry analysis, Threats | Tagged , | 1 Comment

Is the notion of Privacy dead?

The recent revelations about the US’s National Security Agency’s monitoring program, code named PRISM has thrown up an interesting question which I’ve been pondering over recently.  Is the notion of “Privacy” particularly in the context of your data, whether it be name, address, phone number etc being available online, dead? Has the horse bolted?

The upcoming amendments to the Australian Privacy Laws give the Privacy Commissioner, Timothy Pilgrim a big stick to take to organisations who are found to have not put sufficient controls around personal identifiable information.  This is a worthwhile move to safeguard the personal information of consumers whom entrust it to third party organisations and have an expectation their information will be protected.  But in the age of Facebook, Instagram, Twitter, Gmail ad nauseum is it realistic to expect any safeguards around your data?  What happens if the very entity that is entrusted to legislate to protect your data aka the Government are the very people who are mining it as is the case with the US Government?

My approach to my own data privacy is that it’s already out there so I need to manage it, that is the horse has already bolted.  I accept my phone number and even address is public knowledge.  My financial information is protected as best I can, however I’m aware and vigilant about the fact someone maybe able to steal enough information to commit identity theft. 

My approach dictates my actions to protecting my data.  By taking a “manage it” approach it allows me greater flexibility around the controls I place around it.  In my opinion, if I took a “defensive” approach, then I’d be rooted in a defense mentality and blind to other possible avenues.

Posted in General | Leave a comment

My personal LinkedIn tips

A few of my connections on LinkedIn asked me to put together my top tips for getting the most out of the social networking platform.  I’ve been an avid LinkedIn user since 2006 with almost 1500 connections and last year according to LinkedIn my profile was in the Top 2% of most viewed but I don’t consider myself to be an expert.  In fact I find I’m learning something new almost everyday from another connection, user or from one of the many informative and interesting articles on LinkedIn.

So here goes, Lani’s top tips in no particular order for getting the most out of LinkedIn.

1. No Desktop Selfiez. By far the most common tip I give out has to do with the first thing people look at when viewing your profile, your photo.  So many people use the webcam on their laptop/desktop to take “Selfiez” of themselves.  To date I haven’t seen a single one that looks professional.  Whether you are using LinkedIn to further your career, improve your personal brand or promote your business, a professional photo or even a good one taken by someone else is a must.

2. Your headline should represent you..not your current  role and employer.  The most popular use for the “Headline” field on a LinkedIn profile is for your current role eg, Chief Technology Officer at XYZ or CyberSecurity Specialist at ABCD.  Makes sense right? Not to me.  Your current role isn’t you and for most it’s temporary, whether that is measured in months or years.  My belief is your “Headline” should say something about you and your personal brand not your role and employer.

Also related to this is your updates to your profile and contributions to others shouldn’t read as an advertisement for your organisation, unless you run the company that is.  Your profile is your identity, your personal brand so balance your desire to promote your current employer with the need to promote your personal brand.

3. Be specific about recommendations.  Asking for recommendations is a no-brainer, it improves your profile and elevates your personal brand in the eyes of prospective employers and your peers.  But how many of us are specific when asking for recommendations?  If someone has been kind enough to write a recommendation for you then be specific on what you’re looking for whether it’s highlighting your leadership, technical or relationship skills.  Your recommendations should support your personal brand eg, If you are a dynamic, relationship focused business executive then your recommendations should include ones that testify to your dynamism in business or how you build and maintain relationships with key stakeholders etc.

4.Activity breeds success.  Only checking or updating your feed when you’re looking for a job is usually too late.  Put aside a few minutes a day to contribute to updates from your connections or if you have the time, to one of the groups that you subscribe to as it accomplishes three main things.  Firstly, it gives you exposure to connections outside your immediate network ie, 2nd and 3rd level connections.  Secondly, it gives you an opportunity to continue to promote your personal brand.  Your updates and contributions should be consistent with what you represent.  Lastly it keeps you informed of changes in your network and industry in general.

5. Recruit Recruiters as connections.  I’ve found Recruiters who are among my connections as the most active on the LinkedIn network.  LinkedIn is a recruitment and talent acquisition platform for them so they advertise their own and their connections roles.  They also search LinkedIn for talent and if you have kept in contact with them, a short message every now and then takes less than a minute, they will usually keep tabs on you.  If a fantastic role is available, guess who they are more likely to contact?

6. Ask your Recruitment connections to review your profile.  I was going to include this as part of “5″ but I thought it important enough to have on its own.  If you have some Recruitment connections your trust then ask them to review your profile and suggest changes.  After all, who best to advise you than those who spend most time on LinkedIn and is their job to find the best talent available?

7. The rule of 3.  I must give credit where credit is due, this tip isn’t mine and I came across this when a 2nd level connection put an update on his profile criticising and generalising the Recruitment industry as a whole.  Within a day he had 20 comments, mainly disagreeing with him and most of them were Recruiters.  Imagine how many thousands of LinkedIn users would’ve seen his naïve update?  I checked back 3 days later to see how the thread was going and his profile had been deleted.  Talk about career limiting move.  Anyway Mary E Clark included her rule of 3 which I’ve added to my own must do’s on LinkedIn.  Rule 1. Is it true?  Rule 2. Is it necessary?  Rule 3. Is it kind?  If it’s a NO to any of those, then don’t post it.

8. If you walk like a duck and talk like a duck..  I’m not going to get all Lao Tzu on you, although though the Tao Te Ching is a book I read over and over again.  Again I must give credit where credit is due to Aaron McEwan for teaching this to me many years ago.  It’s probably the single most important piece of career advice I’ve ever received.

You would have noticed that I mention throughout this post about a ”personal brand”.  Before putting your profile together, work out what yours is.  Ask yourself, who am I? and what do I want to represent as my personal statement or brand for my career?  Your profile should be constructed around this and your updates to your profile and contributions to others and groups needs to consistently represent this.

 

Posted in Business | Leave a comment

Critical infrastructure..to legislate or not to legislate..that is the question

While IT in general is undergoing rapid change with Cloud, Big Data and BYOD providing massive potential opportunities for organisations as well as a few Risk/Security headaches, organisations who are under the “Critical infrastructure” umbrella remain largely resistant to change and for good reason. 

A large swarth of organisations under this “critical infrastructure” umbrella run SCADA (Supervisory Control & Data Acquisition) or ICS (Industrial Control Systems) that by very nature cannot be subject to rapid change.  Lifecycles for equipment run into the 20′s or sometimes 30′s in terms of years and the management of these assets runs almost antithetically to the standard IT doctrines we currently operate under.  For example most IT departments patch vulnerabilities in their systems monthly, sometimes weekly and for critical systems perhaps quarterly.  SCADA/ICS systems due to the equipment they control would probably be lucky to see vulnerability patching yearly and due to lifecycles may even run unsupported platforms.  It’s not unheard of to see Windows 2000 server or desktop running within some organisations. 

ICS-CERT reported late last year that it had been notified of 197 security incidents in 2012.  Doesn’t sound like much?  This is compared with 9 in 2009.  Now you can dice this up and interpret it how you like but what it shows is that reported security incidents are exponentially increasing and doesn’t take into consideration the unreported incidents.  Search engines like Shodan now make interconnect connected control systems available at a click of a button.  Alot of these systems either still use default passwords or contain vulnerabilities that are easily exploited. 

So you would expect that with the risk and consequences of something happening in this sector that Governments and Private sector would be moving enmasse to ensure it’s safety?  Unfortunately not.  The US Government is on the right track with a Presidential Directive directing action to be taken by the Government agencies responsible.  This is mobilising it’s responsible Agencies to collaborate and work towards a solution which is a good start.  What’s needed is organisations within critical infrastructure to not wait to be tapped on the shoulder or legislated but be proactive and do the necessary remediation work to ensure the safety of it’s equipment, personnel and broader public.

My fear is that organisations either won’t do or do as little as possible under legislation or will look to reduce scope of the remediation work required to the point where it provides very little practical use.  At this stage of the game, it seems like legislation is the key.  Most of these organisations are legislated heavily in other areas so it’s nothing new.  It would be great to think they would make the necessary improvements on their own but history doesn’t reflect that.

Posted in Critical infrastructure | Leave a comment

Productivity, Collaboration and Innovation – The work from home dilemma

Marissa Myers Yahoo’s CEO has recently received a caning in both media and social media over her decision to ban work from arrangements in favor of its employees working from the Yahoo offices. This follows an interview with Google where they openly admitted it was their preference for its workers to be in the office. Both these Internet giants are bucking the trend of workers having a more flexible work environment which usually means full time or part time telework or telecommuting. So is it the right decision and are we seeing the trend begin to reverse? I’ll answer these in reverse order and say No to the latter. This does not mean the telework/telecommute trend is reversing. Quantitative studies show that workers can be more productive working from home and this is seen as crucial to retaining talent for employers. Employees like the flexibility of telework/telecommute and most are now specifying this as a key requirement when looking for a new role.

Now to answer the first part, is this the right decision? That’s an absolute and resounding Yes for both organizations and I dare say for most in the high technology industry. In an industry where the competitive edge is innovation, having your workforce interacting with each other personally is a must. There is a quality to human contact in close proximity, the facial expressions, cues that you do not get over a webcam or teleconference line. Google calls this quality “magic” but in reality it’s not, it’s just how we humans have evolved. If you look at our evolution we are a social animal, banding together in groups for survival and as we’ve evolved that hasn’t changed. As John Donne eloquently puts it “No man is an island, entire of itself. Each is part of the continent, a part of the main”. There is a theory of human social development called Attachment theory which stipulates a an infant that is securely attached emotionally to their attachment figures, primarily the mother and child relationship will develop more secure, trusting relationships as they grow into adulthood to become more functional adults. This attachment is facilitated through close contact, touch and proximity to a child’s attachment figures.

In terms of collaboration and innovation, I posit that humans in close proximity, in close contact over cubicles, in kitchens, in hallways will collaborate more efficiently and effectively than if you we’re on the other end of a phone, IM or webcam. Collaboration done correctly is a precursor to innovation, a key differentiator for the high tech industry.

Posted in Uncategorized | Leave a comment