Home Depot Breach 43M loss posting on LinkedIn

I just read an article on LinkedIn about the negative impact caused by the recent Home Depot breach. Here are my thoughts about how all the 2014 breaches should change some C level and Information Security paradigms. These could cause a major C suite thought shift and maybe even a large paradigm thought shift in how our profession thinks about the skills and talents really needed by Information Security professionals.

Note – I know this opinion will not resonate well with some CISO’s – Major IT departments continue to hire CISO’s that have little to no security background. Hackers and blackhats are associated with organized crime and IMO until we put more of an emphasis on the word SECURITY in the CISO title and until CISOs stop walking a tightrope by always trying to compromise and keep the business happy by letting the business need trump the security need (“ok, don’t patch that extremely vulnerable system I understand your business need not to” ) the crooks will continue to win.

Also, it appears that too many companies are basing their CISO hiring decisions on the candidate’s business acumen. Wouldn’t it be better to focus on how well the candidate knows how to fight and deter criminals?
I’m not saying CISO’s don’t need to understand the business I am saying that a stronger focus should be on how much the CISO knows about criminals and crime fighting. I also realize that thought would take a major paradigm shift in the thinking of the C suite.

Aside | Posted on by | Tagged , , , , , , , , | Leave a comment

The Insider Threat is Alive and Well – a summary taken directly from Raytheon’s How to Build an Insider Threat Program (2014) …

Aspects of human nature further complicate matters: Well-intended managers resist any notions of “their people” doing “bad things.” They screened them. They hired them. They work with them side-by-side and – if they’re good bosses – have developed a genuine interest in their career development and even personal happiness. In addition, one of the most critical elements in building a high performing team is trust, so anything thaWhite Hatt can have a negative impact on that trust needs to be very carefully analyzed and explained before being implemented.  This disposition is not about being gullible, we all have white hat syndrome at times. It’s about being a helpful manager – and a decent person.

But it would be imprudent to completely abandon a sense of cautionary oversight, as there has been a steady flow of news reports about insiders doing harm to their organizations. They range from probably the most notorious of incidents – Edward Snowden’s carefully plotted leaking of sensitive NSA documents after downloading 1.7 million files – to possibly the funniest (except for the company in question): A software developer for a U.S. critical-infrastructure company literally outsourced his job by sending his log-in credentials to a Chinese contractor, so he could get paid six figures to surf Reddit, post Facebook updates, shop on eBay and watch cat videos all day2.  While the latter anecdote has generated considerable amusement, it underscores the reality that internal threats pose serious risks: 53% of organizations have experienced an insider cybercrime incident, according to the 2013 U.S. State of Cybercrime Survey from the CERT Insider Threat Center at the Carnegie Mellon University.  So who are the users who pose threats? In all cases, they have authorized access to the network and their co-workers and managers are usually shocked that they would do such a thing.  Clearly, tech departments need the support of their leadership to do what plant managers and foremen did in the 1950s: Watch. Audit. Intervene. Prevent.

Regardless of the user’s full time or contractual status, you want to look for classic “tip-off” behaviors which can lead to trouble, e.g. the clear taking of proprietary information NinjaHackerwithout need or approval; expressing increased interest in matters unrelated to defined duties; and connecting to the network remotely from unusual places at unusual times, having access to machines that they really don’t need access to, constantly seeking for elevated privileges, to list a few examples from the FBI profiling studies.  Without a program in place to stop these individuals, organizations stand to lose an estimated $412,000 on average per incident.

In many organizations, a “we trust everyone to do the right thing” mindset too often prevails, and data points abound, such as 50% of employees who leave a company admitting to taking proprietary data,  to show why this is highly questionable logic.

Another issue is with internal rule benders who conclude that the added layer of protections are either unnecessary and/or overly alarmist and/or present too many inconveniences for them to deal with. They consider themselves and their work as above it all, and decide on their own as to when to follow security protocols – and when to circumvent them. As they grow more comfortable with the latter, they choose it as their “default” setting, doing things such as sending proprietary information outside the company “walls” without encryption, logging onto systems that they should not have access to, elevating other person’s access rights because security doesn’t understand the person’s real need, etc.  They love external drives and USB sticks, because these tools make it nearly impossible to distinguish risky behavior from harmless, work-related shortcuts. In fact according to a recent survey conducted by Voltage Security 50% of network users admitted to having bypassed security controls to complete a task more quickly and easily. Internal Rule Benders make up 15% of treat actors who have caused or committed a breach of their organizations’ data.  Senior executives are disinclined to acknowledge that the worst is, indeed, possible: “We trust the people we hire” and they perform a valuable role. We do not want to promote a culture of suspicion.  These Senior executives need to realize that Trust but Verify is a good mantra for them to start living by.

oopsIt’s too difficult. It’s too costly. There’s no imminent crisis. “Status quo”                                  is working out just fine. Then like, Target, Home Depot and many others they                      find out that it’s not, after it’s too late. 

On our team how can we implement items that allow us to do the following?

  • CERT’s “Common Sense Guide to Mitigating Insider Threats” has emerged as an industry standard for program implementation. Among its recommended actions:
    • Launching a security information and event management (SIEM) system to log, monitor and audit user activity.
    • Detecting activities outside the users’ normal scope of duties via phone/network logs, etc.
    • Regularly reviewing accounts to verify that all are still active and necessary.
    • Ongoing auditing of user accounts created and passwords provided.
    • Requiring all system administrators to change passwords when a fellow administrator leaves his or her job.*
    • Monitoring and controlling remote access from all end points, including mobile devices.
    • Incorporating threat awareness/prevention policies into comprehensive termination policies.
    • Developing a baseline of “normal” network device behaviors.
    • Inventorying IT assets and routinely assessing their present-day role and relevancy.

Remember:

If you don’t go looking for trouble you will never find it.  

But, Trouble will find you / your Organization

How do we get back to this future in a technological workplace?

In the classic factory of the 1950s, managers strolled from their offices on a floor that towered over plant activity, closely observing whether shift crews below were doing what they were supposed to do. Because employees knew the eyes of a supervisor may be upon them at any time, they were less inclined to cheat the system – such as slipping any of the company’s property or product into their pockets, or sabotaging a machine out of spite. Thus, the business was protected. And what was good for the business was good for everyone involved: the bosses, the investors and, yes, the workers.  Said another way, it is good for business and for organizations to keep one rotten apple from spoiling the bunch.

factory

Posted in Uncategorized | Tagged , , , , , , , , , , , , , | Leave a comment

Just a Random Thought After an Information Technology (IT) Meeting

It is not the job of IT operational support staff to eliminate 100% of failures across the corporate infrastructure. (cost would be too high) It is ITs job to manage failures so that they stay within the levels of operation the business has determined as acceptable.  – Kevin McLaughlin

Posted in Uncategorized | Tagged , , , , , , , , | Leave a comment

A day in the life of a senior Cyber Security Incident Responder

 

The day was proving to be an exciting one for team Havoc, the Company’s cyber Red Team, as the L2 report he had just read showed that 4 of the core company servers were vulnerable to a very common exploit.  Glacier, the Red Team leader, was evaluating the report and figuring out how he was going to communicate this to the Global IT leaders.  It was important to not just inform IT of the vulnerability, but to have recommended solution sets to present that were reasonable and that would allow them to be able to
remediate the vulnerabilities.  Glacier was on his second read through of the report whencyber hacker he noticed a section that mentioned end user data on the systems being encrypted.

“Hey Hammerhead come over here.” Hammerhead is the teams best Wintel expert. “What’s up?” “Take a look at these systems and check out what is happening with the data on the shared drive.  I’m thinking we’ve already been hacked and have a serious issue here.  What do you think?” “Oh man Glacier, it looks like we have an active ransomware attack, maybe using something like Cryptowall. ”

Glacier immediately contacts NightShade, the Cyber Incident Response Team (CIRT) coordinator and asks her to get the team assembled.

While the above scenario does happen more often than we would like it to, thankfully it is not an everyday occurrence.  Most days consist of conducting risk assessments on malware and zero-day events, investigating abnormal system behavior, and investigating employee or corporate security reports of suspicious activity. Each of these events has to be analyzed and assessed quickly, all the while knowing that each of the actions decided upon will be second guessed by arm chair quarterbacks across corporate IT leadership.  Let’s say the Incident Response (IR) team makes a decision to patch systems based on their initial intelligence gathering and risk analysis. If any of these systems have a production failure due to the patch, pushback from IT immediately begins and argument over the need and criticality of the patch ensues. Even when the actions taken, such as having corporate executives change their passwords, are less impactful to productivity than leaving a Second Guessingbuilding due to a fire alarm, second guessing by business leaders is inevitable. Even though the IR team’s decisions are rooted in cyber intelligence followed by an appropriate risk analysis, they are frequently told they are overreacting.

The business and IT leaders who do this second guessing often ask that in the future when these decisions are made they be made by group consensus.  This thinking shows a complete lack of understanding on how fast cyber-attacks can move.  For example:  When the blaster worm came out as a zero day event it took down Fortune 500 companies around the globe in less than 15 minutes. The other issue with this type of reasoning is that these business and IT resources, while highly intelligent, have limited knowledge of cyber security and what it takes to prevent or quickly remediate data breaches. This fact has been made obvious by the long line of large data breaches all in companies that had limited Cyber Security resources or that did not listen to the ones they did have.

The same business and IT leaders who are doing the second guessing of Cyber Security professionals most likely read the first paragraph of this paper with thoughts that it is silly and bizarre for Cyber Security IR teams to use nicknames.  Experienced IR professionals understand that hackers and fraudsters are highly intelligent and capable of conducting social engineering research to find the names of IR members so they can track those names on chats and systems in an effort to disrupt response capabilities.  In the past, law enforcement professionals have had the bad guys call police stations pretending to be a hospital where their wife or husband had just arrived after being in a car accident. it is very possible that cyber attackers would try some of the same tactics to disrupt IR response capabilities.  There are many IR teams that only have one UNIX or one Wintel resource and having them not engaged would cause a large negative impact to team operations.  So, not only should IR teams use nicknames but these nicknames should also be treated as restricted data.

So, after that interlude, let’s get back to a day in the life of a senior IR professional.   As with most jobs, coffee is the beginning of the day. While drinking their coffee, the IR professional reviews a variety of Cyber Intelligence sources to determine potential impact to the current employer.  On some days this leads into the intelligence gathering and risk analysis work discussed above, on other days it leads to a check through emails to make sure that the Level 1 (L1) or Level 2 (L2) Security Operations Center (SOC) did not have any urgent findings for immediate handling.  If there are no urgent needs in email, then a variety of L1 and L2 SOC reports are reviewed and analyzed and items of interest are followed up on as needed.  Being a student of Stephen Covey’s 7 habits and the Corporate Athlete methods, lunch is something lite and is followed by a walk or quick work out.  After lunch, the senior IR professional performs a quick check-in with each of the team members to see what items they are working on and to make sure that moral is high. This is followed by another quick email review to make sure nothing urgent has come in from Corporate Security, the company’s See Something – Say Something campaign, or either of the SOCs.   Assuming nothing needing attention has come in, the IR professional brings up the SIEM dashboard to conduct a Quality check of the work being done by the L1 and L2.  This often leads to some phone calls or a meeting with their team leaders to reinforce Standard Operating Procedure (SOP) items that are not being correctly followed.  The end of the day usually consists of going through all the emails that have had to sit while the daily tasks were completed.

Posted in Uncategorized | Tagged , , , , , , , , , | Leave a comment

What’s It Going to Take to Have Cyber Security?

Written by- Kevin L. and Kody T. McLaughlin

If you are a Cyber Security professional do you get as mad as I do when you read and hear

over and over again that Cyber Security professionals don’t have enough talent, skills, or

business acumen to effectively secure systems? I say bull!  That’s right bull!  In wargame

after wargame I have observed that the defending team must keep an unused port open,

or have a small exploitable vulnerability on their systems so that the attackers have a

chance and the games are interesting.  What that tells me is that many of us know what to

do and we have the skills necessary to do it but there are organizational blockers that

prevent us from effectively securing the systems we are trusted to safeguard.  Until we

change the business culture into one that allows cyber security professionals the latitude

to mandate that system baselines are kept, that critical vulnerabilities are remediated

immediately, that unused ports and unused services remain off, that comprehensive logs

are sent to a security tool for analytics,etc. we will continue to have data breaches

reported on pretty much a daily basis. Organizational data breaches are getting to be too

common and too severe to be ignored. Already this year we have seen:

  • A 56 million card credit card breach at Home Depot
  • 4.5 million patient records compromised at Community Health Services
  • A breach of over 216 stores at Jimmy John’s
  • The discovery of a 2-year, 82,600 patient breach out of Aventura Hospital and Medical Center
  • 1.4 million TripAdvisor customers compromised
  • A Neiman Marcus breach of 350,000 cards
  • A breach of 868,000 cards from 330 stores at Goodwill

Oh well, at least at the end of the day we can forget about these breaches and unwind

with a few video games. That is, of course, as long as they aren’t one of the games like

Destiny and Call of Duty that hackers DDoS’d with little effort.

The bulleted items above are just the high-profile incidents. Numerous smaller

companies have also been compromised. Yet companies still refuse to believe that this

could happen to them. According to the Ponemon Institute, 43% of companies had a data

breach in the past year. It is time for companies to realize the cyber threat isn’t some

boogieman in the closet; it is a real and increasingly present threat.

These threats come with real consequences. According to a report published

by IBM the average cost of a cyber breach is $201 per record compromised. This

averages out to a cost of $5.9 million per breach with some breaches exceeding

$21 million. The IBM report also suggests that customers and investors are becoming

increasingly less likely to continue doing business with an organization that has had a

breach.

Breaches also come with legal battles. Right now, Home Depot is caught in a

firestorm of suits, one of which is to the tune of $450 million for negligence.

It is a sad state that it appears as if Information Security teams are woefully incapable of

keeping up with the increasingly prominent and advanced cyber threat. This isn’t due to

lack of knowledge or talent but due to lack of influence within their organization. It is too

easy and too common for companies to hire CISOs and large security teams to make

themselves feel safe and then when those teams want to change policies, procedures,

or add security controls they are shunned and ignored due to the inconvenience

associated with securing systems. Or, and this appears to be the non-security business

executive’s number one trump card these CISOs and their teams are told “you just don’t

understand the business”;  which really means that the business executive doesn’t

understand or believe the security analysis.  Worse is that in most organizations these

Cyber Security teams have no power to mandate appropriate action be taken to secure

organizational systems.  When organizational charts put the CISO underneath executive

decision makers, instead of high enough to warrant a chair at “the big kids table,” it is

extremely difficult for security teams to make a meaningful change in their organization’s

security posture. Until security teams are given the authority they need to be effective

these daily breaches will continue.

 

 

http://www.theregister.co.uk/2014/09/23/call_of_duty_lizard_squad_ddos/

http://www.latimes.com/business/technology/la-fi-tn-community-health-hacked-20140818-story.html

http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/

http://krebsonsecurity.com/2014/09/home-depot-56m-cards-impacted-malware-contained/

http://healthitsecurity.com/2014/09/16/aventura-hospital-reports-82601-patients-data-breach/

http://www.cnbc.com/id/102027979#.

http://www.forbes.com/sites/katevinton/2014/09/23/data-breach-bulletin-home-depot-ebay-ck-systems-call-of-duty-destiny/

http://www.bankinfosecurity.com/home-depot-faces-canadian-breach-suit-a-7351

http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/

Posted in Uncategorized | Leave a comment

The Cyber Security CIA explained via Calvin and Hobbes

Leave it to my son Kody, who is starting his Cyber Security career to come up with this novel way to explain the CIA triad for Cyber Security.

In InfoSec terms, CIA refers to Confidentiality, Integrity, and Availability. To illustrate how these principles work, let’s look at Calvin and Hobbes.

Calvin and Hobbes create a club called the “Super-Secret-No-Icky-Girls-Allowed” club. During their very first treehouse meeting, they draft a document entitled “member list” and write the names “Calvin” and “Hobbes” on the list. This list is the club’s most valuable asset so Calvin and Hobbes need to maintain the CIA of the asset. The confidentiality of the list is critical as the exposure of the secret member list would cause the entire super-secret club to lose its purpose. The integrity of the list is also important to ensure that unauthorized modifications of the list can’t be made. It would be terrible if Susie’s name were to make it on the list of if Calvin’s name were to be removed. Lastly, the availability of the list is important. When the club meets to have their secret meetings, they need the list do roll call and to ensure that those in attendance are listed.

So now that we’ve got the idea, we can explain how CIA works for business assets. The confidentiality of the asset is necessary to ensure that only those with appropriate privileges and appropriate need can see the asset. The integrity of the asset is necessary to ensure that the data has not been changed and, if it has, a log of changes is kept. The availability of the asset is necessary because it is not of any value if no one can interact with it for its intended purpose.

Posted in Uncategorized | Tagged , , , , , , , | Leave a comment

Compliance does not Equal Security

When I read items like this:

Agarwal said NoMoreRack is now in the process of certifying itself this time as a Tier-1 merchant, even though the number of credit and debit cards it processed in 2013 placed it squarely in the Tier-2 range.

I get frustrated.  While I understand that Compliance is necessary and is important companies still need to understand that being compliant does not mean you are secure! There is more to it than that.  In too many cases Compliance is just a check box that makes senior management feel better about the overall state of organizational security.

Posted in Uncategorized | Tagged , , , | Leave a comment