Cyber Security – A basic look at Defense in Depth

A basic somewhat quirky and fun look at Defense in Depth.

 

Video | Posted on by | Tagged , , , , , , , , , | Leave a comment

The Highest Risk Ever….. Not!

 

BlogWordleI just received one of my daily news reports about Cyber Security and it said something to the effect of such and such a Research group has found out that Application Security holes are at highest numbers ever and this number is expected to increase even further in 2016!  Companies really need to focus on fixing the risk incurred by these applications.  I thought, “Wow, Really”?  I mean yet another highest number, highest risk, most vulnerable, more danger than ever before message.  What a surprise it was to get yet another news feed about a Cyber Security vulnerability being the worst ever.  (that last sentence is dripping with sarcasm – just in case you couldn’t tell).   I really just want to shout and scream out that No It Isn’t the highest total ever!  None of these items being touted as worst ever are really the worst ever.  The simple reality is that we are still in our relative infancy when it comes to Cyber Security as a profession and as something to write about.  Being in our infancy means that we are still finding lots of this things that we couldn’t find before.

None of these vulnerabilities appeared overnight.  The vulnerabilities that we are now finding and that are generating these, at times horrific, Blog- Overnightreports about numbers of vulnerabilities have always been there.  Not only have these vulnerabilities been there but here is a secret I will let you in on – there are many more that we still haven’t discovered!  Companies, researchers, etc. now have the proper tools to discover concerning Cyber Security  vulnerabilities in large numbers.  These are items that in the past no one knew about even though they were there.  As more and better tools come out we will find even more of the worst vulnerabilities ever.

Vulnerable OS, vulnerable Webpages, vulnerable coding, vulnerable hardware or firmware,  these items have been around for decades and will remain around.  So while it is great that we can now find these and do something about fixing and remediation of these vulnerabilities they aren’t new.  Maybe newly discovered or newly recognized but they have always been there.   

Why am I going on about something that is basically hype, and in some ways good in that it publicizes exposure to these items so that Cyber Security professionals can use them to raise awareness, funding and support for remediation?  Because of the way the reports and news articles are written.  In too many cases these articles raise awareness and hype of issues that are much lower risk than the ones the organization’s Information Security team are already working on.  I have sat in many meetings where executive management has looked at the Chief Information Security Officer (CISO) and said “I know your team is really busy remediating core vulnerabilities across our Financial landscape but I read something yesterday about mobile devices being very vulnerable and I think we need to re-focus our resources….  the article really made this mobile risk sound like the most dangerous thing ever.”  

Don’t get me wrong,  I appreciate the awareness being generated but …. the WORST EVER …. no in most cases it really isn’t.  There are lots of Cyber Security items just as bad or worse that most organizations need to fix and the decision on where the highest Information Security risk sits inside of the company should not be decided by reporters and vendors but should rest on the shoulders of the CISO and the experts they have hired to analyze and determine what risk items need immediate attention.

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

A Note I Wrote to Someone Who Once Worked for Me

I recently had the honor to help provide a strong reference for a person who worked for me as a Cyber Analyst.  She got the Senior position she was going for but was just a little worried about what they should do in order to lead a team and be a good leader.  Here is what I related to this extremely competent future Cybersecurity leader.

Hi:

First and foremost – you are going to do great in your new role. I encourage you to model your leadership style after the following rule(s):

Use the leadership model of:
Am I doing the right thing
Am I doing it for the right reason
Am I doing it at the right time
Am I doing it in the right way

This is on the back of the Challenge Coin I had made up for our UC team.

Always act with Integrity and walk your talk. You don’t always need to be right but you always need to be honest with the people you lead.

Remember that “We are smarter than Me” and foster healthy discussion and debate on topics. Try to pull ideas and suggestions from those you lead who are more on the quiet side. Don’t let aggressive Type A personalities (like me) dominate the conversation.

When coming out of a meeting get your team members used to doing a 5 minute feedback session (what did we do right, wrong, what should we (or I) have done differently, etc. Remember – Feedback is a gift.

Training of your people needs to be a priority and always remember to help others be Greater Than Yourself. There is enough success out there for everyone, help grow your people so that they can be your boss some day and if that did happen they would be a good boss to work for.

Don’t hesitate to email if you have specific questions. Have confidence, breath deep and believe in yourself – you got this!

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

CIsO or ciSo?

In some big companies it does make sense to have a polished CISO who is responsible for working both the Boardroom and the IT Executive management group. In those cases a strong security focused Deputy CISO should be considered for the heavy Security lifting that is also required. As a CIO friend of mine told me recently both of those skills is very hard to find in a single person.

My primary concern is for mid-range and smaller companies that want a CISO and are unsure of what skill set is most needed on the part of their CISO to fight organized crime, unscrupulous competitors or nation state actors. I believe that they are making a mistake with some current hires I have observed.

A somewhat scary trend that I am starting to see is now that CISO salaries are going up companies are putting Deputy or Associate CIO’s in those positions. This makes sense if we consider human nature as the CIO’s seem to be more comfortable with someone who is not “such a security guy or girl” talking to Executive Management.

Of course this approach continues to severely downplay the S (Security) component of the CISO role and is yet another path which, IMO, will lead to failure in the fight against Cyber Criminals. In many cases we need to move to having a ciSo instead of CIsO (a catch-phrase I am trying to get to catch on) and remember that it takes trained and experienced security professionals to fight organized crime, unscrupulous competitors and nation state actors. In my opinion the S in the ciSo title needs to carry the most weight for the majority of companies in their fight against cyber crime.

Posted in Uncategorized | Leave a comment

Your Horse Was Analog

Your Horse Was Analog

Kevin L. McLaughlin

A  speech I made to 350+ people at the Michigan joint Military Ball.  Amway Grand Plaza Hotel.

Like my tie? My wife didn’t – gave me a lot of grief before we left the house,  you know how difficult things can be when your significant other doesn’t approve of your choice in clothing.

Well you see this tie has snoopy, the moon, the space shuttle and Apollo craft on it and it was given to me by Fred Hayes, yes the Apollo 13 Fred Hayes , yes astronauts are pretty neat people,  anyways Fred gave this to me when we were working on a project together and he told me that whenever I wore this tie I could look down at the pictures and that no matter what I do in the life I should remember that if we put a man on the moon we can do anything as a country.

…. as a country we can do anything,  even figure out how to defeat this cyber threat.

I want to change that thought just a little bit because I know what type of people went to and walked on the moon –  as a whole the U.S. Military and its veterans can do anything   make no mistake we are under attack, not by conventional weapon systems like guns and missiles but by cyber warriors utilizing digital attack vectors.

My speech tonight will be about trust and how it will help us win our cyber battle.  But, before I start I would like to do a shameless plug for the Whirlpool Veterans Association, who mentors soldiers transitioning to the private sector and with multiple outreach programs – I am sure many of the companies you work for have similar programs and a big thank you to those as well.

Trust and authority will be tonight’s theme. A lot of Information Security Professionals left Home Depot after years of not having their voices heard and repeatedly being over-ridden about whether a system could be touched or not.  Many Board of Directors are asking how to fix the cyber issue  –  a lot of the CIO’s and some of the CISO’s when asked that question are taking a passive posture of saying that their job is to make them aware of the risk versus telling them what to do.  In my opinion that is not the right answer… the people who are trained in cyber defense need to drive answers and solutions not just show risks

I will admit though that this morning while I was working out I had a big moment of angst,  you see I am an expert in this field and I can have an opinion and if I get it wrong a company will lose money but you know – if you get it wrong  lives will be lost and in the worst case our Homeland can fall.  Even with that – tonight you will hear what I feel we need to do in order to start winning the cyber battle.  We got our butts kicked by the bad guys in 2014 and it was a loud wake up call to anyone paying attention that what we have been doing is not the answer.

The general theme throughout my speech tonight will be one of trust. High performing teams consist of players that trust each other and who understand that each of the team members has an area that they are the expert in.  We cannot continue to ignore or muffle the voices of our highly trained and skilled cyber defenders and expect to be successful in our cyber defense efforts.

One of the first things we need to understand is that there is always in existance a large understanding gap.  I got my first taste of this type of understanding gap when I returned from Basic Training and I was talking to my Grandpa.  He asked me where I was stationed and I said Fort Bliss Texas,  he asked me what units were stationed there and I said the 3rd Cavalry. He got excited and we started talking;  about 5 minutes into the conversation it dawned on me that he was talking horses and I was talking tanks.  He was talking analog.

You see, we continue to increase our combat effectiveness by implementing new tools and technologies the majority of which are not analog, but are instead digital.  Digital means that they present entirely different attack vectors and will require us to have an entirely different level of trust in the expertise of the cyber defenders we put in place.  We must protect our digital assets.

The current generation of service men and woman are some of the first who have known nothing but digital tools.

(I left out this next part due to time constraints)

[Did anyone see the movie BattleShip? It’s a bit of a cheesy movie but there is a part in it where the modern digital destroyer gets blown up and the only available ship to fight the aliens was a WW II BattleShip,  they are working to try and figure out how to use the ship and the Chief looks at the Ensign and says “sir, this old thing is completely analog, it will take us years of reading the manuals to learn how to float and fight it”.  All of a sudden a long line of navy veterans come walking up and they are able to work side by side to show the team how to run and fight the ship –  think about this – in another 10 to 15 years people who understand analog are not going to be around to help us out.  ]

I continued my speech here —    I have to wonder how many of these digital troops would use a smartphone or GPS, even if disallowed in the mission parameters,  if they get lost during training?  I’m not disparaging anyone, I just realize how very hard it would be for any level of team leader to stop themselves from using an alternative before calling into command and telling someone that they were lost.  We all know how difficult that radio call would be to make.

What is scary is that if these digital devices were suddenly taken away our combat effectiveness would be greatly impacted – maybe by 90% or greater.  Ok,  each of your digital devices, smartphones, etc. have just been reset to 0:00 – how many of you can tell me what time it is?  Show of hands  {note – out of 350+ people in attendance only 2-3 raised their hands} wow, that was actually far worse than I expected it was going to be.

Having these digital items give us a significant advantage but also put us at risk if we don’t adequately protect them from cyber attack.  Tanks, Planes and ships will not operate if their computer systems are taken off-line.  Year after year we see annual reports that tell us  that our military systems are in no better shape than private sector systems are and our military IT staff feels the same pressures to get systems in place quickly rather than securely – we must be better than that. {looked down at tie and lifted it up}  We can do anything….

Most of us Cybersecurity professionals (risk professionals, assurance, etc. ) are very passionate about what we do – I personally spend upwards of 30-40 extra hours each week staying current, learning, wargaming, gathering intelligence, figuring out business enabling security strategies, and more.

How many of you in this room (Cybersecurity men and women you are not allowed to answer) can say you spend that much time studying and focusing on cybersecurity? How many of you even spend 2 hours per week?  Of course you don’t spend time studying Cybersecurity nor should you – that’s why you put cyber security professionals on your team.

Then why is it that across Corporate America, and I can only imagine it is a bit worse in the military, is it so hard to build trust between the Cyber defenders and the management community of the organization?  I know some of you are sitting out there thinking -What’s this guy talking about – I trust my Cybersecurity person.  Do you?  Do you really?

Think about this … you are the Colonel in charge of finance imagine an E6 Cyber defender walking into your office at month end closure and telling you that he has to take one of your business critical system off-line immediately for security patching as it is critically exposed and can be very easily compromised which could put the rest of our infrastructure at risk. He then tells you that the outage may last 8 to 10 hours.    Well, after 17 years experience as a security professional in Corporate America I can tell you that this request would be met with a lot of resistance and most likely the Cyber Defender will be told to wait for a day or two to do the patching.   Often times that directive will come with a comment about “you security guys and girls don’t really understand the business and tend to over-react”….

Hmmm…  I can only imagine similar conversations happening inside of Target, HomeDepot, Sony, Subway, Dairy Queen, Sigh, I’m not going to name them all – but like I said earlier we really got our butts kicked in 2014.  2015 continues the theme with the Anthem breach – a breach which directly impacts each one of you the Feds feel China committed the breach to continue their mission of gathering the personal data of our active and former military and their dependents.  We don’t know what they want the data for but it is obvious that they want it

Trust,  Target has a 148 million reasons – those are dollars by the way – plus open lawsuits, HomeDepot has 120 million reasons and Sony has 1 billion reasons, to implement a Cyber Defender authority policy.   1 billion?  how many of you work for companies that would even be able to survive a 1 billion dollar loss? I imagine if I lost a billion dollars for a company I’d be out on the street. and luckily for us we are starting to see Board Chairman, CEOs and CIOs resigning due to allowing a security breach to occur on their watch. Why is that lucky?  because it might raise the awareness we need to help fix this issue.

A base level of trust needs to be in place that makes it so that is assumed your cyber defender, who also is part of your profit sharing plan and wants the company to make money or who is a strong patriot and wants our tanks to run or planes to fly,  is not going to willy-nilly.  I just wanted to say willy-nilly in a formal speech,  is not going to willy-nilly take systems off-line and that when they say a system really needs to be fixed immediately they need to be granted the authority, we already give them the responsibility and career risk when a breach occurs,  now let’s give them the authority they need to protect the organization,  even if there is a small short term negative profit impact – wow that is hard to say but I bet if we asked Target, HomeDepot, Sony, Anthem, you get the idea if they could go back in time and accept a $5,000.00 profit hit in order to take a system off-line and patch it instead the breach they would all say yes.

For you the risk of allowing the E7, E8, Lt. Captain, Major, etcetera, I’d try to go on but I’ve been out of the military for a loooong time and would most likely get the other command ranks wrong…   to trump the cyber defender may just result in a significant loss to both your combat effectiveness and your ability to defend our country.

Trust,  trust the cyber defense experts that we are graduating from our military schools to both understand the business and to effectively assess the risk and make the call on fixing open and exploitable channels of attack.  While the department heads and commanders should still have the final say an answer of “don’t touch this system” or an answer of “you are over-reacting to this threat  – yet how would they even have the expertise to make that judgment?  should be the rare exception and not the norm.       – Trust and authority-   we can win this cyber war and defend our systems against the cyber threat.

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

Home Depot Breach 43M loss posting on LinkedIn

I just read an article on LinkedIn about the negative impact caused by the recent Home Depot breach. Here are my thoughts about how all the 2014 breaches should change some C level and Information Security paradigms. These could cause a major C suite thought shift and maybe even a large paradigm thought shift in how our profession thinks about the skills and talents really needed by Information Security professionals.

Note – I know this opinion will not resonate well with some CISO’s – Major IT departments continue to hire CISO’s that have little to no security background. Hackers and blackhats are associated with organized crime and IMO until we put more of an emphasis on the word SECURITY in the CISO title and until CISOs stop walking a tightrope by always trying to compromise and keep the business happy by letting the business need trump the security need (“ok, don’t patch that extremely vulnerable system I understand your business need not to” ) the crooks will continue to win.

Also, it appears that too many companies are basing their CISO hiring decisions on the candidate’s business acumen. Wouldn’t it be better to focus on how well the candidate knows how to fight and deter criminals?
I’m not saying CISO’s don’t need to understand the business I am saying that a stronger focus should be on how much the CISO knows about criminals and crime fighting. I also realize that thought would take a major paradigm shift in the thinking of the C suite.

Aside | Posted on by | Tagged , , , , , , , , | Leave a comment

The Insider Threat is Alive and Well – a summary taken directly from Raytheon’s How to Build an Insider Threat Program (2014) …

Aspects of human nature further complicate matters: Well-intended managers resist any notions of “their people” doing “bad things.” They screened them. They hired them. They work with them side-by-side and – if they’re good bosses – have developed a genuine interest in their career development and even personal happiness. In addition, one of the most critical elements in building a high performing team is trust, so anything thaWhite Hatt can have a negative impact on that trust needs to be very carefully analyzed and explained before being implemented.  This disposition is not about being gullible, we all have white hat syndrome at times. It’s about being a helpful manager – and a decent person.

But it would be imprudent to completely abandon a sense of cautionary oversight, as there has been a steady flow of news reports about insiders doing harm to their organizations. They range from probably the most notorious of incidents – Edward Snowden’s carefully plotted leaking of sensitive NSA documents after downloading 1.7 million files – to possibly the funniest (except for the company in question): A software developer for a U.S. critical-infrastructure company literally outsourced his job by sending his log-in credentials to a Chinese contractor, so he could get paid six figures to surf Reddit, post Facebook updates, shop on eBay and watch cat videos all day2.  While the latter anecdote has generated considerable amusement, it underscores the reality that internal threats pose serious risks: 53% of organizations have experienced an insider cybercrime incident, according to the 2013 U.S. State of Cybercrime Survey from the CERT Insider Threat Center at the Carnegie Mellon University.  So who are the users who pose threats? In all cases, they have authorized access to the network and their co-workers and managers are usually shocked that they would do such a thing.  Clearly, tech departments need the support of their leadership to do what plant managers and foremen did in the 1950s: Watch. Audit. Intervene. Prevent.

Regardless of the user’s full time or contractual status, you want to look for classic “tip-off” behaviors which can lead to trouble, e.g. the clear taking of proprietary information NinjaHackerwithout need or approval; expressing increased interest in matters unrelated to defined duties; and connecting to the network remotely from unusual places at unusual times, having access to machines that they really don’t need access to, constantly seeking for elevated privileges, to list a few examples from the FBI profiling studies.  Without a program in place to stop these individuals, organizations stand to lose an estimated $412,000 on average per incident.

In many organizations, a “we trust everyone to do the right thing” mindset too often prevails, and data points abound, such as 50% of employees who leave a company admitting to taking proprietary data,  to show why this is highly questionable logic.

Another issue is with internal rule benders who conclude that the added layer of protections are either unnecessary and/or overly alarmist and/or present too many inconveniences for them to deal with. They consider themselves and their work as above it all, and decide on their own as to when to follow security protocols – and when to circumvent them. As they grow more comfortable with the latter, they choose it as their “default” setting, doing things such as sending proprietary information outside the company “walls” without encryption, logging onto systems that they should not have access to, elevating other person’s access rights because security doesn’t understand the person’s real need, etc.  They love external drives and USB sticks, because these tools make it nearly impossible to distinguish risky behavior from harmless, work-related shortcuts. In fact according to a recent survey conducted by Voltage Security 50% of network users admitted to having bypassed security controls to complete a task more quickly and easily. Internal Rule Benders make up 15% of treat actors who have caused or committed a breach of their organizations’ data.  Senior executives are disinclined to acknowledge that the worst is, indeed, possible: “We trust the people we hire” and they perform a valuable role. We do not want to promote a culture of suspicion.  These Senior executives need to realize that Trust but Verify is a good mantra for them to start living by.

oopsIt’s too difficult. It’s too costly. There’s no imminent crisis. “Status quo”                                  is working out just fine. Then like, Target, Home Depot and many others they                      find out that it’s not, after it’s too late. 

On our team how can we implement items that allow us to do the following?

  • CERT’s “Common Sense Guide to Mitigating Insider Threats” has emerged as an industry standard for program implementation. Among its recommended actions:
    • Launching a security information and event management (SIEM) system to log, monitor and audit user activity.
    • Detecting activities outside the users’ normal scope of duties via phone/network logs, etc.
    • Regularly reviewing accounts to verify that all are still active and necessary.
    • Ongoing auditing of user accounts created and passwords provided.
    • Requiring all system administrators to change passwords when a fellow administrator leaves his or her job.*
    • Monitoring and controlling remote access from all end points, including mobile devices.
    • Incorporating threat awareness/prevention policies into comprehensive termination policies.
    • Developing a baseline of “normal” network device behaviors.
    • Inventorying IT assets and routinely assessing their present-day role and relevancy.

Remember:

If you don’t go looking for trouble you will never find it.  

But, Trouble will find you / your Organization

How do we get back to this future in a technological workplace?

In the classic factory of the 1950s, managers strolled from their offices on a floor that towered over plant activity, closely observing whether shift crews below were doing what they were supposed to do. Because employees knew the eyes of a supervisor may be upon them at any time, they were less inclined to cheat the system – such as slipping any of the company’s property or product into their pockets, or sabotaging a machine out of spite. Thus, the business was protected. And what was good for the business was good for everyone involved: the bosses, the investors and, yes, the workers.  Said another way, it is good for business and for organizations to keep one rotten apple from spoiling the bunch.

factory

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment