RSS Site Feed

Security Connections
Monarch Information Networks provides information security management services and expert witness services.
  • The First National Cybersecurity Summit
    On July 31, 2018 I attended the first National Cybersecurity Summit at the US Customs House in lower Manhattan. The building itself was constructed around 1902 1907 in order to collect tariffs. Teddy Roosevelt was President and tariffs were a subject of divisive national debate. Global issues were still in evidence at the Cybersecurity Summit, with the administration promoting new initiatives to protect US critical infrastructure and democratic processes. In attendance to support these new initiatives were: Vice President Pence, Energy Secretary Rick Perry, FBI Director Wray, General Paul Nakasone (NSA and US Cyber Command), Kirstjen Nielsen, Secretary of DHS, Chris Krebs, head of DHS s NPPD (National Protection and Programs Directorate) as well as CEO s from industry and leaders from academia. Audience members filled the 350 seat auditorium and spilled over into another viewing room down the hall.So, what was new, if anything? Secretary Nielsen announced the new National Risk M...
  • New Privacy Laws Require Security Professionals Up Their Game
    Two recent privacy laws GDPR and the California Consumer Privacy Act (AB 375) focus more attention on protecting digital privacy of individuals. Both laws will require that security professional up their game. In this post I will cover some of the security implications of AB 375. Gone are the days when privacy requirements could be handed off to privacy officers or legal counsel. Today s requirements are so granular that they will require new security technology, processes and knowledge.To summarize the California Consumer Privacy Act of 2018:It goes into effect January 1, 2020It includes a private right of action in breaches involving unencrypted or nonredacted personal informationIt offers California citizens the right toKnow what information is being collected about themKnow if their information is being sold and to whomForbid sale of personal informationGain access to their personal informationRetain their rights to equitable service even if they forbid sale of their informat...
  • Cybersecurity Workforce Development: Real or Imagined Problem?
    Yesterday DHS and the Commerce Department released their most recent workforce report Supporting the Growth and Sustainment of the Nation s Cybersecurity Workforce . The report was commissioned by the Trump administration in May 2017. Having studied this issue from roles in academia, private industry and government, I thought I would share my thoughts on the report.Overall, I thought it does a good job and provides good ideas for improvement. I have always had a bone to pick with reports of astronomical cybersecurity job shortages. The Cybersecurity Workforce report states that there are 299,000 active openings for US cyber related jobs. OK, but when I search (cybersecurity + cyber security) on www.indeed.com I find a total of 53,007 jobs. Somehow 82% of the jobs are not found on Indeed. Where are they? The DHS/Commerce report does acknowledge that we really don t know how many jobs are open and exactly what industry and government needs. What is the cybersecurity workforce...
  • Antidote for Fake Everything
    In this digital era, anything can be faked; followers, news, experts, emails and so on. The possibilities are limited only by the imagination of the faker. It turns out that these issues were addressed back in 1996, by Carl Sagan, the world famous astronomer. His context was UFO s, but his formula for separating facts from fiction is even more applicable today. He called his 9 step process The Fine Art of Baloney Detection and described it in his best selling book, The Demon Haunted World. Here is a summary:Whenever possible, there must be independent confirmation of the facts Encourage substantive debate on the evidence by knowledgeable proponentsDo not overweight arguments from so called authoritiesSpin more than one hypothesis for the evidenceTry not to get too attached to your own hypothesisQuantify competing hypothesesIf using a chained argument, every link must workOccam s Razor: choose the simpler of two hypothesesCan the hypothesis be tested?Keep this list in mind when...
  • Information Security Risks, Gray Rhinos and Black Swans
    Information security over the past few years has been obsessed with zero day vulnerabilities, hacking exploits and headline making mega breaches. Every security risk manager is looking for the unknown unknowns that could result in untimely unemployment. But is that the right approach? One presentation and one book made me think otherwise.The presentation was Alex Stamos s talk last summer at Black Hat; you can listen to it here. In this talk he highlights the differences between risks identified by traditional InfoSec and newer risks that he calls abuse . This triangle diagram below from his talk captures his point. Note that the vertical scale is a log scale. Mr. Stamos definition of abuse is technically correct use of a technology to cause harm . Think user profile scraping, insider trading, spam, doxing, sexual exploitation, etc. The log scale illustrates that the biggest risks are found in the category of abuse. Zero days and targeted attacks are orders of magnitude...
  • Managing Information Security On a Limited Budget
    The recent government shutdown got me thinking about budgets and information security. Having just submitted a proposal to a small business myself, I am asking the question: What is best practice for small or mid sized business (SMB) information security? Every SMB is going to have a limited budget. This budget has to cover control implementation and maintenance. There s no point in minimizing risks if you will run out of money for maintenance at a later date. In this post, I want to address the costs of running the security program on an ongoing basis. Gartner came up with Total Cost of Ownership (TCO) back in the 1980 s but hasn t applied it to information security. I am claiming that the cost of maintaining your security program is often overlooked and is critical for a SMB, where budgets are limited.There are several good references for SMB security. NIST has developed NISTIR 7621: Small Business Information Security: The Fundamentals . This document recommends taking an ...
  • Building a Security Start-Up
    If only building a security start up was as predictable as transitioning from caterpillar to butterfly! But, it s not. Unfortunately it usually requires many turns and corresponding changes. Consider companies like Blackberry, once a ubiquitous handset provider, now an enterprise security provider. Or Radware, once a load balancing product company, now known for its DDoS solutions. The most dramatic change in our industry is Amazon, once a book company, now marketing a whole range of secure cloud solutions.If you are a start up, you want to avoid the dreaded pivot with its associated hard resource costs and, potentially, people costs. How do you keep up with constantly changing marketplace requirements without pivoting? I recently discovered an amazing tool for this purpose, the Business Model Canvas. It s not brand new, but if you aren t using it, please read on for a short introduction. For details and much more, please see the original work Business Model Generation (2010) by Al...
  • Cybersecurity Risk Management for Directors
    There are many posts on corporate directors responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office. Directors obviously will have access to sensitive insider information that many unauthorized parties would like to get access to. Many directors will also be targets as High Net Worth (HNW) individuals. Cybercriminals always target the weakest link; as corporate information security improves, they increasingly will target the home networks of key executives or directors. Breaches such as Equifax have put so much personal information into the hands of criminals, that individuals increasingly will become targets. Directors represent a perfect demographic cross section to be attacked. Attack vectors may include phishing, ransomware and social media.Earlier this y...
  • Should Your CIO Learn to Code?
    This topic came up because of two recent headlines and one new book. The first was the news that the now former Equifax CISO was a music major, without formal college level tech or security training. The second was the recent article in the WSJ highlighting Bank of America s new Chief Operations and Technology Officer, Cathy Bessant. Ms. Bessant s outstanding background includes general management and marketing, but not specifically technology leadership. The book I mentioned is Mark Schwartz s Seat at the Table (2017). Mr. Schwartz argues that, today, tech leaders need a hard core of tech knowledge and can t be just managers putting on a propeller hat. He bases this conclusion on the rapid and deep penetration of technology into all business operations and the continued rapid change in that technology. In many cases, business leaders will take the initiative to adopt new technology. In this situation, everyone in the organization is tech savvy; but it is the tech leaders that mus...
  • How IT Leaders Can Keep a Seat at the Table
    In this era of digital disruption, business leaders are turning to technology to keep up. But, will they continue to turn to traditional IT leaders to map out the future? This is the question addressed by Mark Schwartz s new book A Seat at the Table. Mr. Schwartz engagingly analyzes the present and provides guidance for IT leaders to get and keep a seat at the table .In the beginning, we had Waterfall systems development. CIOs could take orders from business leaders, translate the orders into technology roadmaps, develop milestones and implement systems. Then the business discovered SaaS and the Shadow IT department was born. The most recent trend is Agile/DevOps, in which business collaborates directly with development and DevOps engineers are tasked with implementing code. What is the role of IT leadership when business leaders are directing systems development?Gartner has defined Mode 1 and Mode 2 activities for IT. Mode 1 is keeping the lights on and Mode 2 is managing ...
  • Equifax points out again the need for speed in security management
    The Equifax data breach illustrates again the need for speed in security management. If the breach was through a known vulnerability, we wonder why wasn t it patched? If through another path, we wonder why wasn t the attack detected? We have so many incident and event management tools for servers, desktops and networks, it is hard to believe that Equifax did not have such tools. In the past, breaches like this have resulted from delays in detecting or reacting to attacks.As the pace of digital business transformation continues to increase, security management needs to increase its rate of change. The OODA loop has been highlighted as a general approach to fast, accurate decision making. Recently I came across a really good explanation of this by John Braddock, a former CIA case officer. You can check out his book on Amazon: A Spy s Guide to Thinking. Let s look at what these frameworks are and how to use them in cybersecurity management.The original OODA (Observe Orient Decisi...
  • Anatomy of a Security Breach
    In recent Information Security news, The Wall Street Journal reported on the upcoming trial of an alleged botnet master. The trial is in progress now. It is not often that we get a look at the details of a computer security breach, but in this case at least some details are in the docket of the Eastern District of NY. I have downloaded the original complaint of US v. Gasperini here. The accusations include violations of the Computer Fraud and Abuse Act, Wire Fraud, Conspiracy to Commit Wire Fraud, and Conspiracy to Commit Money Laundering. All of these acts were allegedly undertaken in a click fraud scheme. If you want to understand the details of these accusations, I uploaded the judge s jury directions here.The defendant allegedly hacked into QNAP NAS devices using the Shellshock vulnerability and downloaded click fraud software. This is a network device that many people will not patch regularly. Unfortunately, the court transcripts don t describe how he got past firewall security....
  • The Smartest Information Security Companies
    Every year, MIT Technology Review publishes its list of the 50 smartest companies. This year, two information security companies made the list, along with big time players like Amazon, SpaceX, etc. TR doesn t publish the detailed selection criteria, but they include things like: ability to dominate the chosen market and innovative use of technology. The two security companies on the list are pretty much unknown in the general US marketplace, but according to TR, are not likely to stay that way.#11 on the TR list is Face++ (faceplusplus.com), a business that has gone beyond startup in facial recognition. The company is based in China where its technology is imbedded in many online services. Other companies such as LTU (www.ltutech.com) have pioneered in image recognition. Face++ has concentrated on facial recognition. Its $1B valuation may well be supported by the Chinese market alone. It s not clear whether this technology will be popular in the US, where many people may not wa...
  • Book Review: Play Bigger
    Play Bigger is a new book by entrepreneurs for entrepreneurs (2016, Harper Business). The authors theme is that today s markets are so crowded that you cannot rely on niche marketing into white spaces; you have to create your own white spaces, or categories . The goal is to be a category king . The idea of niche marketing has been around forever. Ries and Trout documented these ideas in their classic, Positioning (2000). Authors Ramadan, Peterson, Lochhead and Maney propose that in today s markets, with enough money, genius and hard work you can create your own category. To build a business using their approach you need to create a category, a product and a company. They all need to work together. This is sound advice. The challenges are: what is your idea, how big is your category and is it defensible? IPads, ERP software and SaaS are examples of unique new categories that have gone to the business hall of fame. Even if you don t have ideas this big you can still take away very ...
  • Long Term Beneficiaries of WannaCry
    The current worldwide attack from WannaCry is going to have lasting impact for information security. The question is: what will that be and who will benefit? In this blog post I will take a contrarian viewpoint and suggest that it will not be beneficial to security practitioners or security businesses. I think business leaders, who fund security programs, will take alternative approaches to mitigating this risk.At present, we have over 1600 security firms offering solutions to attacks like WannaCry. Unfortunately, this patchwork quilt mitigation approach isn t working. Not because of the security firms, but because there are too many potential leaks in the ship to manage. So, I predict that business leaders will change ships and increasingly move legacy systems and new systems into the cloud. This is already happening and incidents like WannaCry will accelerate it. No business person is going to upgrade XP systems to Windows 2016, when they can hand over security responsibility to some...
  • RISK: A NEW MOVIE ABOUT JULIAN ASSANGE
    Last night I went to a screening of Laura Poitras s movie about Julian Assange. If you are interested in national security, I highly recommend the film. I had expected a big crowd, but Nashville s Belcourt was only about 20% full.Love WikiLeaks or hate WikiLeaks, it is likely Assange will continue to be in the news. The movie ends with Attorney General Session s statements directed toward putting Assange in jail. The rest of the movie covers the period back to 2006, when WikiLeaks was founded. You can come to your own conclusions as to whether WikiLeaks was or still is a valuable publishing forum.I came away with questions such as: who is funding this organization? Or, what is the public benefit of disclosing the Vault 7 CIA documents? Should WikiLeaks be using Twitter to promote the hack of the Macron campaign, as some have reported?The media blitz surrounding everything Assange does (including this movie) is shocking. Probably not for those participating, but for those of us on the...
  • TRADE SECRET THEFT CONTINUES UNABATED
    One of the biggest cyber threats that many US companies face is theft of their intellectual property (IP). This includes trade secret, patents, software and copies of tangible goods. The recently released Update to the IP Commission Report gives tangible, current information on all four categories. The original report was published in 2013 amidst headlines about Chinese cyber attacks on US businesses. The conclusion of the February 2017 update report is that IP theft continues, although the headline grabbing thefts may have dropped off. Not all intellectual property results exclusively from a cyber attack, although most thefts are cyber enabled.The most notable report points related specifically to trade secret theft are:Total loss to US economy in the range of $180 $540 billion per yearIP intensive firms responsible for 35% of jobs in US labor forceNo evidence that China has stopped hacking US firmsThe updated report also includes recommendations, including those for improved c...
  • TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS
    The Tennessee legislature recently passed a modification to the state privacy breach notification requirements, 47 18 2107. The modification has been sent to the governor for signature. Unfortunately, the modification just confuses the law s requirements.The existing code says that a breach notification is required if unauthorized acquisition of unencrypted computerized data takes place. The breach also has to materially compromise the security, confidentiality, or integrity of personal information. This seems clear to me.The new code says that notification is required when acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information takes place. The data does not have to be unencrypted.However, subsections add an exception for encrypted data. If the data breached is encrypted, breach notification is not triggered. One encryption exception is for data encrypted in accordance with FIPS 140 2, a Federal Informa...
  • LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS
    If you are like me, you have read through many articles and books on leadership. Most security professionals come with a technical background that does not directly facilitate leading people. But solutions aren t easy to find, either. Many leadership training programs seem vague to me. What about soft skills vs. hard skills , Aristotle vs. Socrates, or the art of leadership? What are we to make of this? We are used to meeting compliance requirements and managing risk.Presenting a book that I think fills a gap in leadership education: The Little Book of Leadership Development, by Scott Allen and Mitchell Kusy.Allen and Kusy offer 50 ways to bring out the leader in every employee. Yes, a checklist of 50 items! The book s focus is on how you can develop leadership skills in the employees you manage. But, in the process of doing this, you can develop your own leadership skills!The book is divided into 5 sections. Each section contains 1 2 page tips on leadership. One section is devote...
  • SIEM VENDORS HAVE IT ALL BACKWARDS
    On my way into the office this morning, I listened to a podcast interview of a well known SIEM vendor. I got more and more frustrated at the wheel, but did make it to the office without incident. The focus of this conversation was the plethora of log sources that this vendor could ingest system, network, endpoint and the machine learning used to analyze the data.This is backwards. Good security designs need to start with the CUSTOMER. Yes, the customer. Who are the specific people that want information and what exactly do they want to see? Users could be audit, security operations, CISO, security analysts, developer, etc. Any other log files collected are irrelevant. This approach is just lean thinking applied to security. Lean itself has been discussed in many books; I discussed it in the context of security here. The first lean principle is voice of the customer . SIEM tool design needs to run backwards, starting with the user interface, not the sources of data. Another...