IT Security Blog

Over the past month, thoughts about the education paradigm have been something like the modern 4th of July fireworks — always a big bang and a new twist. I’ve followed the MIT/Harvard EdX online class of 155,000 students. I even thought about the incredible process of trying to grade the exams and student authentication challenges. If you’re not familiar with this project, you should be. MIT launched their intro to electronics class online with 155,000 enrollments! That’s a BIG classroom. Sounds like we’ve hit on an educational breakthrough!

Well, maybe it's not a complete breakthrough. It turns out that 7,154 completed and passed the course. Our own pass rate on CISSP boot camps is dramatically better than MIT and Harvard’s. In fact, the real fallout came between the open enrollment period and the first exam. If you've ever taught college, you know what the first cut looks like. It's a wake up call. Here, the class dropped by over 70%! A large audience WANTS to learn, but they need ongoing motivation — coaching, nudging, pushing and cajoling to keep them going.

What EdX did is profound. It’s a radical change in how we think about education globally but we need to be clear about what we know. We know there's a huge appetite for learning. However, content isn't the constraint. It's context.

 - KWK

So, what is risk? What does it mean? We can define risk as the possibility that bad, unplanned or unexpected things happen. It implies, most often, after the fact, that something could have been done about the “risk” to prevent the bad things. In many of the most disastrous events, there were clear warnings and a multitude of actions that should have been taken.

Risks can be mitigated. Risky activities can be reduced and safeguards can be implemented.  Why then do we continue to see disastrous events in the papers that could have been avoided? Simply put, Western societies seem to have forgotten about it. We ended the twentieth century with a growing belief that all of the critical issues of the world had been solved. Resources would be efficiently allocated through free competitive markets and social issues resolved by the universal adaption of democratic practices. But this myopia, which took fifty years to develop, will likely take more than a decade to change and many organizations don’t have the resources to manage it effectively.

So, where do we start? We believe it should become an automated process. Identify and develop some key fundamental steps to help define your risk management strategy. Keep it simple at the beginning so you can measure and mitigate effectively and develop a more detailed plan as you learn and identify more risks.

 Steps in a simple risk management strategy:

1. Identify the potential risks. List all of the different scenarios that could potentially go wrong.
2. Develop a measurement tool to gauge the impact and severity of the risk. Ask yourself what is the probability of the risk happening and what is the impact.
3. Develop alternative solutions to the various risk scenarios:
   Identify the possible ways to mitigate the risk while measuring the effectiveness and budget restrictions.
4. Determine remediation solutions to be used and implement Allocate the needed resources and obtain management buy-in
5. Continuously monitor results. Develop a monitoring schedule. You must check frequently to ensure your plan is working? Identify any needed changes or updates based on threat and risk assessment criteria.

...Applying a triad methodology for risk management.

Similar to the Dutch boys and their dike, securing the barrier between your IT infrastructure and the rest of the world, rely primarily on:

• Plugging the known holes.
  
• Posturing to plug holes based on historical data and not overreacting to an acute event.
• Making educated guesses where to reinforce the infrastructure to minimize potential risk.

Risk awareness and risk analysis has become a central force in all aspects of information assurance and IT security yet our current treatment of risk continues to be ad hoc and reactive rather than rigorously considered.

There are three profound issues that we must resolve if we are to sustain a meaningful, credible and constructive campaign for better risk management. First, we have to drop the absurd notion of rational economic decision makers minimizing risk. Thinking Fast and Slow is the most contemporary catalog of modern psychology that proves that people do not behave the way economic models suggest they would or should.

Second, we have to think about data in a vast macro framework and stop letting limited samples and short time horizons set out thinking. Really, ask yourself how many 100-year cycles have been recorded for the river nearest you? If we’re trying to statistically study cycles of up to 100 years, each 100 years is a single observation from which no meaningful statistical inferences should be drawn.

Third, risk is about potential losses. While we look at rare events with big losses as serious threats, the trillions of dollars lost annually are more likely to go to fraud than any other single addressable source. So, it seems that as security professionals and as risk managers we might want to spend more time and energy understanding the what, where, when and why of fraud.

According to Thompson Reuters the U.S. health care system alone wastes between $505 billion and $850 billion every year. That’s just the tip of a complex range of crimes that have changed and evolved with the advent of new tools and technologies.

Sticking with the theme of threes – here are three profound changes technology has made to the nature of fraud:

1. Today’s technology greatly expands reach. Bad guys from across the globe can initiate fraud attacks from afar exposing us all to threats that used to be constrained by limiting physical access. The remote corporate campus isn’t remote anymore.
2. Attacks can be scaled using technology. A recent Medicare fraud network was generating thousands of false claims aided by online claims entries. Another great example was the global synchronized attack on ATMs where the compromised cards were used at hundreds of machines across continents so even as the bank’s control systems quickly responded it wasn’t fast enough or coordinated enough.
3. Technology blurs the line between insider and outsider as modern attacks often target the credentials of insiders giving outsiders the advantage of an insider as they organize and mount their exploits.

So, to complete the triads, we have three sets of threes. Our last trio to be examined should therefore be - what we should be doing about fraud:

1. Treat fraud as a central and integral component of your risk management. It’s far more damaging than most cyber-security professionals think.
2. When you start talking about fraud you’ll find a whole new professional community to interact with – fraud examiners and/or auditors, law enforcement, etc.
3. Engage your fraud folks. Check out the professional associations. Read and track fraud in your industry.

Finally, add it to your existing triad – it’s too limiting to keep talking about confidentiality, integrity and availability. While these are good abstractions, when we get into risk management we think about the source or the treat agent. What can we learn about their motives and intentions to understand their likely behavior.

Looking at fraud is a great 4th dimension to consider.

   - KWK

A dear friend found a reason to remind me what Einstein (or somebody important) said was insanity - doing the same thing and expecting something different. Well, this got me thinking. All my life people have found probable cause to call me crazy …. but not insane. There's something more clinical and more considered in the diagnosis of insanity.

I've spent over a decade delivering executive summaries on issues in information assurance and IT security. I've worked with the vendor community, academics and corporate IT staff studying threats associated with emerging technologies.

For example, when cars become "wired" systems with steering and breaking being driven by software rather than direct physical linkages, there are certain risks that should be understood and analyzed. We framed the risks for remote automotive systems access through OnStar as well as vulnerabilities in network addressable controllers of medical devices.

We were one of the first groups to study SCADA vulnerabilities years before Stuxnet hit. As we evolve processes similar to SCADA for advanced medical devices like a Pacemaker, should somebody be thinking about securing it?

As an economist who spent several years teaching in an engineering school, I've developed a passion for root cause analysis. And, when things continue to break, I seek the pattern, the system drivers behind the break down. It seems we're doing the same thing with each new threat, with each new technology.

But over the past year, there's been too much insanity - too much doing the same thing and expecting different results.

Maybe the system itself is flawed. Maybe this is beyond crazy and actually insane. What are your thoughts?

It looks as though 2012 is not only gearing up to be the year of cloud computing and healthcare information security concerns but also the year of continued phishing attacks and scams. Here is my most recently received scams (among the many other banking phishing attacks that roll in on a daily basis). It seems I have won the Texas Lottery, again!

These scams are much simpler to spot than some of the most sophisticated phishing scams I have seen. Take a look at a few of the key indicators:

1.       In this cyber world I guess it only makes sense that they begin running a lottery based on email addresses, right?

2.       I am addressed as Stake Winner – You would think that my winning $800,000.00 would at least warrant a name look up by the Texas Lottery Commission.

3.       Google Translate is getting pretty good but not good enough to correct the grammar in this awkward message.

4.       Wait a minute this isn’t Texas – I’m not even a resident of Texas, nor have I entered the Texas lottery lately.

5.       Oh of course, that makes perfect sense, a Texas lotto claims agent, located in the United Kingdom, with only a Gmail email account.

6.       Dr. Roseline Morgan, Director of the Texas Lottery Commission? Yes absolutely, I sure wouldn’t trust my lotto commissioners to hold anything less than a doctorate (hmm odd, she seems to enjoy signing her name “Morgan Lewis”)

Although this is a weak example of an online scam, the excitement of a lotto winning can sometimes cause all logic to go out the window. Check back as I’ll be updating you periodically on this year’s newest phishing attacks and how to avoid being duped.

The past year has been plagued with a variety of new attacks. The most influential being Operation Shady RAT and its attack on over 70 organizations, the theft of RSA’s SecureIDs, and the DigiNotar hack that resulted in the compromise of numerous SSL certificates. All of these attacks have one thing in common. They are all Advanced Persistent Threats (APTs). APTs are a new breed of attack taking the IT industry by storm. They are carefully monitored, resilient to defense, polymorphic and incredibly successful. But these attacks are after much more than a few SecureIDs or SSL certs, the true target is the information these assets allow their attackers to access. With one SSL cert, attackers are able to spawn an infinite amount of fake websites and lure in unsuspecting victims who submit valuable personal data and banking data to the false pages, without warning, without suspicion. This information is then used for political and financial gain, all fueling the machine and allowing further attacks to break down the fragile system we all hold dear.

APTs are one of many emerging threats on the frontlines of IT security. Other hot topics in the industry include Cloud Computing security, new challenges in Cryptography, and emerging Exploits. Even business related aspects of IT are changing rapidly such as the many improvements to be made to Risk Management procedures all influenced by the recent natural disasters on the east coast along with the 10 year anniversary of 9/11.

So many emerging topics, so little time.

But there is hope for security professionals. IP³ now offers an all new way for security professionals to learn about all of these new emerging threats and technologies and at the same time keep up on their certifications by earning valuable CPEs, all for an incredible price, wrapped up in a package that fits the lifestyle of the even the busiest IT security professional.

Click here for more information on IP³ Inc.’s industry first CPE ToGo program.

We must all understand that the net is fragile and it can be taken down. We have seen this 'kill switch' in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of 'Internet Kill Switch' from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only be concerned with the authorities doing it but everyone else who can now see that this capability does indeed exist.

Taking down the Internet is easier then you may think. The net has two fundamental services. First being a name and address service, this is handled through the Domain Name Service infrastructure and without it we don't have email, VoIP, web traffic or any web 2.0 technologies, including the growing Cloud infrastructure. The second service is routing. IP routers run software and can be attacked through a wide range of exploits. Last week, researchers at the University of Minnesota described a targeted DDoS attack that could knock out these services.

Another aspect the Egyptian outage showed us is that nation-states either already have or are aggressively building the tools to disrupt the internet. Think back to the Stuxnet attacks, Iran acknowledges that a joint effort between the United States and the Israelis caused serious damage to the Iranian power infrastructure by damaging centrifuges in their nuclear power plant. If we can attack their infrastructure and get away with it, why would we think they won't attack ours. Mass terrorism could very well go cyber sooner than we know it. Last week, the head of the National Security Agency said that the United States should expect to be attacked. Thats right, EXPECT it.

I think the message is clear, for Cloud computing and for general business continuity, resiliency and back up systems are not luxuries, they're mandatory!

~KWK

New Year, New Technology, New Game, New Threats As we all have heard, 2010 was the year of game-changers. With more malicious attacks and new technology then any preceding year. But now that the rules have changed its time to get back in the game.

So far 2011 is outlining huge innovations in technology, tablet PCs will take over our offices, mobility and wireless networking are approaching a new forefront of innovation.

But as we improve our playing strategies so do our enemies. The fight to protect our emerging technology assets is not a game we can afford to lose.

Obama's recent State of the Union address has called for huge investments in information technology innovation. Supercomputing and the advancement of technology were stressed repeatedly within his speech. This spells big things for the IT community.

Get ready for new projects, new technology, and best of all new budgets.

Human resource management will be begging for information technology professionals soon, so be prepared for a job market comeback in IT. The recession is ending and soon the technology movement will be back in full force.

Not only will information technology be the hot topic in industry but also in education. This will open up even more opportunities for IT technicians, security experts, and teachers. Obama has already made the call out to start filling schools and universities with more of these professionals.

So prep your resumes and shine up your certification plaques, the IT revolution is on its way.

In other news IPv4 D-Day is approaching fast. As of February 1, 2011 (maybe even sooner) all IPv4 addresses will be exhausted. Time to start prepping your company for a dual stack implementation. Don't want to lose your competitive edge!

Imagine a war where your enemy is given a prefect replica of each weapon you use. If you shoot a machine gun, they instantly get one. If you use an RPG, they get one. The more you think about it, the more untenable it becomes. That’s what our cyberwarfare looks like. Code is code, good and bad. But take our example one step farther and realize that every evil piece of code resides in the wild and can be aggregated with techniques and practices to develop ever-more sophisticated attacks.

Security is changing. We see it everywhere. It’s becoming INSTITUTIONALIZED. That scares me. Too often we begin to embed practices prematurely. A great example – we’ve institutionalized strong passwords. It will take decades to get rid of them. They’re an oxymoron. If passwords are something an individual knows that we want to use for authentication, strong passwords are a security violation because they’re something the user DOESN’T KNOW! They have to be written down somewhere. They’re tokens. But today’s compliance software tests and makes sure every user has a password they have to write down.

Now we confront STUXNET and the A/V vendors say it’s a new world of Advance Persistent Threats where signatures have little value but we’ve institutionalized them and they eat up our budgets, create a false illusion of security and can’t do anything at all when we send encrypted traffic.

I hope you’ll find time to join us at a Strategy to Reality workshop soon. Five years ago we addressed SCADA training, seven years ago we talked about the failure of strong passwords and last year we covered the covert channels we’ve created by introducing VoIP and leaving it out of the classical security architecture.

It’s a start ….

No matter what level you’re at, you need to stay aware of how technology transitions are creating new exposures. You need to be thinking about all the elements of your enterprise exposed to the net. You need to understand that there are serious scientists working for bad guys.

Apple keyboards are vulnerable to a hack that puts keyloggers and malware directly into the keyboard. This could be a serious problem, and now that the presentation and code is out there, the bad guys will surely be exploiting it.

The vulnerability was discovered by K. Chen, and he gave a talk on it at Blackhat this year. The concept is simple, a modern Apple keyboard has about 8K of flash memory, and 256 bytes of working ram. For the intelligent, this is more than enough space to have a field day.

I wouldn't loose sleep over this or get worked up about Black Hat demonstrations. Compensating controls that continue to provide security in depth in this case would include network and host  IDS/IPS so that the keystroke log files might be found stored on the host or being transmitted out of the enterprise. In the case of a shared public lab, like the university cited, the common safeguard is to wipe and rebuild each machine on a daily basis.

I'd agree that this is another serious vulnerability that should help heighten our awareness of the potential dangers. 

The biggest danger I see in information assurance today is the belief that only good guys are finding these holes and the belief that sharing them at Black Hat educates the bad guys.

Anybody who has spent more than 10 minutes following the current exploits in the wild understands that the folks behind conflicker or the theft of the

F35 designs are very, very competent. They don't need Black Hat demos to find opportunities. They're finding more and better exploits on their own. 

WE need the demos to help wake up and inform management as to what we're up against and how insanely insecure many systems are today.

The Twitter ddos, F35 design theft, multi-million node botnets, massive penetration of our power grid and 90% of all email as malicious (I consider all fraudulent mail including spam as malicious) should be enough of a wake-up call but it doesn't seem to penetrate.

Regards

Ken Kousky

To many, IA refers to information assurance. I really like this term much better than information security since it speaks to the broader concepts of informational integrity and places emphasis on a far-more committed and positive notion - assurance.

However, to others there is an equally important I and A. This is integrity and availability, two of the three traditional goals of security represented by the famous triad c-i-a. For far too long, information security has focused almost exclusively on the "c", confidentiality. In far too many aspects of our modern digital age, integrity and availability are as important or often more important.

I'll never forget a meeting with a retired hospital CEO who scolded me on the destructive influence and operational damages brought by information security professionals who thought HIPAA was about privacy and confidentiality rather than portability and efficiency.

One of the most important lessons I can share about the triad is that these goals are usually competing and at times mutually exclusive. All too often, it's a zero sum game. That is, to get more confidentiality, we forsake integrity. This is a lesson I often share in our CISSP boot camps. When one looks at the early abstract security models, the Bell-La Padula model suggests that for multi-layered security one cannot write data down from a higher level of security to a lower level, nor can one read from a lower level to a higher level (insert graphic). While Bell-La Padula played a vital role in framing our understanding of multi-level security and how a system might be architected to implement these capabilities, it was limited in focus to only confidentiality. BIBA produced a model several years later that addressed the more likely commercial concerns about data integrity. To maintain multi-level data integrity, the BIBA model states that one cannot write from a lower security level to a higher level nor can one read from a higher level from a lower level ??????

What we see is these rules are mirror opposites. What provides confidentiality of information prevents integrity controls, and what provides the greatest integrity controls compromises confidentiality.

This makes sense in the real world too. When we think about trying to make strategic decisions based on confidential information, we have the challenge of adequately vetting the information. If I can tell the whole world we're invading Iraq based on a variety of intelligent sources, we then must disclose those sources. Intelligence personnel are concerned that disclosing their sources will compromise their sources. They fail to appreciate that they compromise the integrity of the source by protecting its confidentiality. How do we review and judge accuracy and quality of information without disclosing the sources for rigorous review?

So, is it information assurance or integrity and availability that we need to add to our agenda? Actually, I think both go hand-in-hand which, when one thinks about it, might be just what we needed.

Is it more polite to say data "leakage" prevention rather than "loss"? We know that what leaks might be recovered, and since we usually still have a copy, isn't it a bit bold to call it a "loss"? Sure there were terabytes of data on the most expensive weapon ever developed, but the report in the Wall Street Journal made clear that it wasn't ALL of the data, so maybe that's just a leak. And we still have the original data. But, like TMI and TLI, using three letters saves us the debate all together. Let's just go with DLP.

Of course, once you're in the DLP space, you're touching PCI-DSS compliance and that's a nice slippery slope into the whole realm of protecting electronic health and medical records (the difference here is important, but we'll save that for another posting). EHR/EMR are big pieces of the ARRA (that's another acronym we'll be talking a lot about - it's the American Recovery and Restoration Act, and it's almost $800 billion of the current stimulus package). The important opportunity for creative DLP solutions is around the new protections which are mandated as part of the spending package on health care information systems.
RSA had vendor after vendor with last year's solutions wearing new banners proclaiming there was something new to be seen. For the most part, and I mean for 90% of the exhibitors, there wasn't anything new!

My beef about too little imagination might be contrasted with the creativity and inventiveness we see in malware and botnets today. Now that's where you can see real imagination. Maybe TOO MUCH IMAGINATION! TMI again.

Now if the bad guys had a show think of all the new stuff we'd see. Think of the advances the botnets have made. Think of how much creative energies have gone into landing checks from Google and Microsoft for click fraud attacks. Wouldn't one of the keynotes be the team that took terabytes of data on the United States' most expensive weapons program in history? I'm sure none of you missed the Wall Street Journal article that broke just in time to remind all of the RSA crowd that we're not winning this game. (insert link)

The breakout sessions for the bad guys might include:

• Advanced SQL injections (something we showcased in our 2003 Strategy to Reality workshop suggesting that website coding needed to be hardened)
• Buffer overflows for the lazy
• Selling financial data online
• New tools for Herders - what your botnet controllers should include ...
• Marketing strategies for botnets - who wants to rent your million boxes
• ePay - a new underground for selling whatever you happen to find on a remote node
• Exploits below the radar - using 10k bots as spam relays allows everybody to be low and slow and never found

If we lack imagination we're in trouble. 

I just want to get you thinking about what the bad guys could really do, or more likely, are already doing.

For years we've been making a big point about the threat of new emerging technologies that are creating big exposures. Does it take imagination to see these threats? Maybe it takes better communications upstream to management and the entire risk management community.

What are your thoughts? Be imaginative. Don't worry, we won't say it's TMI.

In our Strategy to Reality workshops, we've spent a lot of time discussing the growing commitment to risk management in most of our enterprises. This has to be seen as an extremely valuable process. However, as we rush to be more risk aware, we may be encountering another aspect of TMI (too much information - see the May 4th posting). There are simply too many things that can, and at some point in the future, may well go wrong. It is this uncertainty of outcomes and the potential problems we face that shape our thoughts and planning on risk.
In the context of far greater concerns about risk, our preparedness for a flu pandemic is a vital issue.

For the most part, surveys on the question suggest that there is indeed a substantial

I just learned some new texting shorthand from my daughters - TMI, meaning too much information.

I also began texting myself for the first time while working the floor at RSA.
So, it got me thinking ....

• Too Much Information
• Too Much IP (intellectual property easily stolen over the net)
• Too Much Infrastructure
• Too Much Interconnectivity
• Too Much IP (internet protocol connections)
• Too Much Indifference

Or maybe it's really about what we don't have enough of?

Has anybody ever used TLI? And that got me thinking that it wasn't just for too little information.

Two weeks ago when I returned from RSA I was both disappointed and discouraged. While the economy may have taken a small toll on the attendance and exhibitors, what really stood out was a lack of imagination. Shortly after 9/11, I heard Richard Clarke use that expression, a lack of imagination. We failed to think outside the box and see many of the obvious threats. When the French built the great Maginot Line, the impenetrable border between France and Germany, they lacked the imagination to see that a German military set on invading France would have few, if any, problems simply going around the wall and entering France through Belgium. My corollary is simply "bad guy cheat", but maybe they also have more imagination.
TLI: Too Little Imagination with all of our other TMI's isn't a good thing!

The industry I saw at RSA lacked imagination. It seemed that just as every other vendor in 2007 realized they had to proclaim they were a NAC solution, this year's required dress was a DLP message somewhere in the booth. Data loss is a big problem. Most forms of computer security touch one or many aspects of data loss prevention. So, if word is out that industry needs data loss prevention, then everybody has it. 

So, while we're struggling with too much information, we seem to simultaneously drown out the creative interpretation of all that information that comes from creative and insightful imagination.

I can take the TMI but the TLI is killing us! What do you think? Feel free to share more than 3 letters.

Any student of modern history must understand that when bad things occur, in particular when there are systemic failures, government happens.

While most IT security professionals are familiar with the Gram Leach Bliley Act's requirement that personal financial information be appropriately protected, it's impossible to understand today's economic crisis without realizing the profound impact that GLBA had in deregulating or de-governing the American financial system. Not only did GLBA open the door for the evolution of derivative markets, it allowed banks and financial institutions to create highly flexible but highly de-governed and deregulated enterprises. The traditional regulated mortgage industry was replaced by unregulated and thus de-governed for a deregulated and de-governed financial industry. It was a disastrous failure!

The primary concerns of IT security professionals should be foresight in organizing and preparing for a massive new array of regulatory oversight. Similar to the impact of the Gram Leach Bliley Act, we can expect the information security and information assurance requirements to be embedded in far more comprehensive and complex regulatory legislation.

Of particular concern should be inevitable regulatory responses.

First, we can expect regulation to go beyond broad information assurance statements and become increasingly specific. This is the result of failed generalities. For example, legislation for accelerating the implementation of electronic medical records will increasingly drive more specific safeguards of this information. We can be certain that confidentiality and privacy will be expanded to provide greater concern over information integrity and availability. Availability failures in medical records certainly can create life-threatening scenarios.

Second, the integrity of financial information will continue to be addressed through more and more specific guidance. Sarbanes-Oxley was an early attempt, rushed to legislation following the collapse of Enron. The next round of regulatory controls will be more specific and simultaneously more comprehensive. Finally, there is an emerging trend to validate, accredit or certify the competencies of security professionals. This was highlighted in a recent Wall Street Journal article by Bruce Schneier, dated March 31, 2009, Who Should Be in Charge of Cybersecurity? And specific legislation recently cited in a Washington Post article, dated April 1, 2009, Senate Legislation Would Federalize Cybersecurity, proposes legislation requiring the licensing and certification of cybersecurity professionals. The legislation (Rockefeller-Snowe Measure) co-sponsored by Senate Commerce Committee Chairman John D. Rockefeller IV (D-W.Va.) and Senator Olympia J. Snowe (R-Maine), can be found in a U.S. Senate working draft of the Bill dated March 31, 2009.

This proposed legislation specifically states:

"Section 7: LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS

(a) In General. - Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.

(b) Mandatory Licensing.-Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated by the President, or the President's designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

At IP3 our specific strategy will be to continue to organize and assemble the appropriate training and technical knowledge necessary to stay in front of these trends. We'll continue to focus on certification prep programs and stay abreast of the ongoing trends in certification requirements. My prior work with the Institute for Defense Analysis included the advisory team that produced the guidance which led to DoD Directive 8570 mandating a broad array of specific certifications for military security professionals. We will try to stay closely involved in similar trends and continue to provide you, our clients, the most comprehensive overview and insight into these trends possible.

Get smart, and stay smart.

KWK

The chaos resulting from the economic disaster in our financial system and the ensuing rush to spend money to stimulate economic growth has left information assurance and IT security side-lined. 

Most organizations are trying to understand the new business conditions before they allocate budgets for IT. At the same time, an increased focus on risk management, is tying up critical management resources. Much of the current work will prove to be tedious bureaucratic processes with little true economic impact. There is simply too much focus on "grand unifying methodologies".

In the midst of these conflicting initiatives, there are several clear key critical points on which new strategies must be built. 

First, the economic collapse was rooted in information assurance. The failure to have transparency in derivative contracts was an information integrity failure. Alan Greenspan and both political parties along with our major regulatories all put phenomenal faith in counter-party surveillance. The idea was that the financial system could not load up with lousy or fraudulent transactions because there is always a counter party to every sale. Somebody is putting money at risk, and they're the most obvious party to regulate the risks they accept. The buyer and seller had strong vested interests in making sure that their contracts were secured. What lender would want to expose their money to investments that were likely to fail? 

However, they did make these investments and they did lose billions of dollars. The failures were systemic. That is, the overall processes and governance failed us. Systemic failures always require systemic solutions, and it is inevitable that a new array of government regulations and oversight will be applied to the financial industry. To this, we can add the auto industry with billions of unfunded pension liabilities and the accountants who missed all of this. So, our first guiding principle is that every organization should be preparing itself for a vast new array of regulations that will have profound impact on the enterprise. This means substantially more information processing for everything from car loans and mortgages to operational accounting and reporting. 

Mark-to-market as an accounting principle suggests that financial assets be adjusted to reflect their current market value. This can only be done through a massive amount of readily available economic information. What we should think about is Sarbanes-Oxley on steroids. We should also realize that with all this new regulation there will be more vital and strategic information to be protected, so we might think of it as Sarbanes-Oxley² plus a healthy dose of PCI and HIPAA, more data with more data loss protection. 

The winners will be companies that design, develop and deploy appropriate information processing systems with adequate security and risk analysis so that they can be both more secure and more compliant. That's a big upside opportunity for information security.
It's funny that over the last year in our surveys of executives from our flagship seminar series, Strategy to Reality, regulatory compliance was consistently listed as one of the serious risks confronting an enterprise. While compliance is meant to provide assurance that we are mitigating risks, it has become a threat in itself. Healthy organizations must begin now to harmonize their compliance processes with actual threat mitigation. This is the second principle we'll talk about in another posting. 

Third, an economic stimulus for the enterprise will likely include investment incentives. The Obama administration has already outlined that improved information technology in healthcare will be one of the targeted infrastructures. We're seeing a more generalized theme emerging where the stimulus package for infrastructure is not our old conservation corps building parks and planting trees but, more likely, a modern cyber structure providing greater information technology resources to schools, hospitals and governments. While there certainly is far more we'll be discussing in these areas, the key point is that the last thing a troubled economy needs is more risk and uncertainty. Winners and losers are always pronounced during periods of economic volatility, and we can be certain that this period will be no exception. 

We believe information assurance and IT security will be vital industries in the new economic order!

Tell us what you think.

The possibility, even when remote, that a small band of fanatical terrorists could gain possession of the materials necessary to assemble and detonate a nuclear bomb in the United States is one of the most horrifying dimensions of risk in the 21^st century. It serves to define asymmetric warfare. A war where an extremely small number of committed individuals are able to harness unbelievable power in their attacks on the most developed and prosperous nation in the world.

A related aspect of asymmetric warfare is the inability to identify and target the assailants through classical means.

A closely related concept of weapons of mass destruction (WMDs) are the tools of mass disruption. The use of such tools are often referred to as cyber warfare, and their threats have many parallels to our concerns over traditional weapons of mass destruction.

1. Weapons of mass disruption can be harnessed by an extremely small group of committed individuals.
2. Their potential for collateral damage is significant.
3. Like a nuclear blast, their destruction is indiscriminate.
4. Properly identifying the source and counter-attacking with traditional conventional programs may be impossible.

Over the last year, we have seen numerous events that clearly raise the probability of a loss to weapons of mass disruption (WMDr). There's good reason for us to raise our concerns over an expected loss to WMDr.

In Estonia and this year in Georgia, we have witnessed expanded use of disruptive attacks. DDos attacks on critical infrastructure are quite potent. We have seen successful attacks on the Commerce Department's office responsible for tracking and protecting our intellectual property globally. Targeted attacks on Spam House, DNS servers and commercial sites all add to our heightened threat level for WMDr.

Given the knowledge that the probability of an incident is increasing, we should also note that there is growing evidence that the potential impact of such attacks is also expanding. Two areas of particular concern are VoIP phone systems and our DNS directories suggest that far more vital infrastructure can be easily knocked out. A parallel concern to the potential damage that can be wreaked is based on the growing capacity of botnets. When over a million nodes can be leveraged as attack vehicles, the potential impact becomes chilling.

If we take to heart the vast array of vulnerabilities we are patching on a daily basis, it's clear that virtually all devices we are connecting to the internet can potentially be compromised and harnessed as attack nodes. This would include gaming or video recording devices built on Linux kernels. If the kernel has known exposures, and it's possible to touch these devices through the net, couldn't they be compromised? What happens when a million video recorders turn on us?

The first step in any appropriate strategy to defend against WMDr is to increase our awareness, and include this threat in our risk analysis. This would include paying as much attention to WMDr as we do to WMDs. Literature on risk analysis demonstrates clearly that high impact but low probability events are often very difficult to measure as compared to real relative events with high probability but much lower impact. WMDr are far more likely to impact most enterprises, but the perceived impact is very limited. We may need to pay special attention to adequate defenses to make sure that this is the case.

More to follow . . . .

Winning the war, no this isn't about Iraq or al-Qaeda, but it is about a massive asymmetric war raging on the Internet. Botnets now are able to claim millions of nodes to harness for malicious use, and the question we have to continually ask is how are we doing?

Today's headlines read that 11 perpetrators allegedly involved in hacking 9 major U.S. retailers were indicted. They're allegedly involved in the channeling of over 40 million credit cards and debit cards. We took down 11 bad guys, and the press suggests that we've made a major dent.

However, the Commerce Department has previously said that they believe that online fraud and crime today is larger than the illicit drug industry in the United States. The illicit drug industry has produced over 500,000 prison inmates. The war on illicit drugs costs billions of dollars and involves international aid to foreign governments to assist them in drug eradication, and it engages virtually all aspects of our legal system from local police to large dedicated federal teams. One significant argument for the imbalance of resources is that drug-related crimes are much more likely to involve threats to life and physical safety. However, as we explore the digitization of our modern life, it's hard to believe that cyber attacks won't impact life as medical systems, SCADA controls and other critical resources become exposed to cyber exploits.

Three questions we need to ask:

1) How serious are these threats?

2) How are we doing in mitigating these threats?

3) What can we learn from our risk analysis to better defend employment of new medical systems, VoIP implementations, and the ongoing connection of defenseless consumer products linked to the Internet?

I've frequently posed the question what happens when our VCR's, refrigerators and cars are all IP devices and one day turn on us? Our job is to make sure that day never comes, but some days I wake up thinking we're losing the war.

"What do you think?"

This is an active forum, and we'd love to hear your feedback.