Jun 25

The Practitioner’s Perspective on Cybersecurity – June 2015

By alberg best practices, CSO, deep thoughts Comments Off on The Practitioner’s Perspective on Cybersecurity – June 2015

On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club.  At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.

Here is a 15 minute “highlights reel” from the panel…

And here is the full discussion, which ran approximately 45 minutes…

The participants were:

Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief

More videos from this event can be found here.

Jun 01

What should InfoSec people be doing?

By alberg CSO, deep thoughts Comments Off on What should InfoSec people be doing?

Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account.  Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture.  I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:

 

  • The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals.  Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”

 

  • Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management.  Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.

 

  • The foundation of Information Security and Risk Management is the organization’s people and culture.  Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program.  Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.

 

  • While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.

 

  • Information security as a practice has changed significantly in the past decade.  While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer.  Perimeter controls are still necessary, but networks must be able to withstand an attack from within.

 

  •  The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques.  Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.
Feb 18

no, it’s not the end user’s fault

By alberg best practices, CSO, deep thoughts, malware, online security, social engineering Comments Off on no, it’s not the end user’s fault

No, you’re not.

According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”

What security people need to understand is that the end users are not the problem.  The end users are our customers (and one of the main reasons we have jobs).  The problem arises from the increasing sophistication of attackers and their tools and ruses.  In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money).  Since then, the attackers have been getting better and better at their jobs.  They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails.  They do their homework, mining social media for personal and business information to make their clickbait more convincing.  End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.

I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks.  It has a great return on investment for just about every organization.

We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them.  Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).

End users are not stupid.  They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day.  We have to step up our efforts to protect them, not call them a problem.  That’s what we get paid for.

Go hug an end user today.

Nov 30

als, bls, cissp

By alberg deep thoughts, systemic risk Comments Off on als, bls, cissp

Those of you who have the misfortune to know me personally know that information security is but one piece of the pie that is Al Berg.  (mmmm…. pie…)  On Friday nights, I swap my desk for an ambulance of the Weehawken Volunteer First Aid Squad where I am an Emergency Medical Technician.  Most of the time, these two parts of my life don’t really intersect, but this week, I saw something that seems to bridge the gap.

So, there are two different kinds of ambulances here in the US.  BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation.  EMTs do not administer drugs – we cannot even give you a Tylenol for pain.  If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator.  We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.

As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:

90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”

Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge.  CPR works way better on TV than it does in real life.

Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this.  Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers.  For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses.  According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.

There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:

  • Documented policies and procedures
  • Least privilege for user accounts
  • Segmentation of internal networks
  • Applying security patches and updates in a timely fashion
  • Security awareness training
  • Sharing information with other organizations

These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data.  They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them.  Yet, time and again, companies fail to pay enough attention to them.  Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.

So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them.   As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.

Nov 23

quick and dirty malware analysis

By alberg best practices, hacks, malware, useful stuff Comments Off on quick and dirty malware analysis

There are a number of web based tools that allow you to safely analyze the behavior of potentially malicious files safely.  My personal favorite is Malwr.com, which provides detailed analysis of just what a piece of malware tries to do when run in a sandboxed environment.  Malwr presents its findings as a detailed report explaining what processes are spawned, what files and registry keys are written and what network activity happens when the malware runs.  This is a great tool for those of us whose budgets don’t include funds for maintaining our own malware analysis labs.   For those with some more resources, you can run the same software that malwr.com uses (the open source Cuckoo malware analysis suite) on your own site.

I recently saw a video from Security BSides DC 2014 in which Craig Fields, a malware/forensics analyst from DefensePoint, demonstrated a new tool to make reading reports generated by malwr.com easier.  MalwareViz takes the URL of a malwr.com report and uses the data in the report to create a more visually oriented diagram of just what a particular piece of malware is doing, which can be really useful in explaining things to non security focused folks.

It is important to remember that malware authors are getting smarter and smarter – in some cases, malware will check to see if it is being run in a sandboxed virtual machine.  If so, the malware stops executing and the analysis doesn’t see the bad behavior which will occur during a real infection.   So, a negative result from the sandbox is just one (albeit generally a strong) indicator of whether a particular file is malicious.

 

 

Nov 02

insecure systems? no insurance for you!

By alberg systemic risk Comments Off on insecure systems? no insurance for you!

It seems that car thieves have been targeting the keyless entry systems of high end vehicles, taking advantage of insecure security in their on board computers.  In addition to stolen cars, this has also caused some insurers in the UK to refuse coverage for certain models of Range Rovers in London unless their owners take additional security measures.  This is an interesting development – if your potential customers can’t get insurance coverage because your car (or other device’s) computer enabled systems aren’t secure, then you have a real incentive to fix the problem.   Now how do we apply this to other types of systems?

Nov 02

video: how to pick a proper password

By alberg awareness, best practices, online security Comments Off on video: how to pick a proper password

When your co workers or family members ask what to do about passwords, have them watch this brief, easy to understand and information packed video from the folks at Sophos…

 

Nov 01

racing the patch clock

By alberg best practices, CSO Comments Off on racing the patch clock

all too true, usually

When previously undisclosed vulnerabilities in the Drupal web content management system used by many large companies to manage their web sites were announced, hackers were busy exploiting those weaknesses within hours.  This incident highlights the bind that security people and system administrators are increasingly find themselves in – we need to patch critical vulnerabilities quickly to protect our systems from compromise, but rolling patches out without proper testing can also lead to downtime (witness Microsoft’s recent run of faulty security patches).    Having the skills to mitigate vulnerabilities while patches are tested and rolled out is a something we need to cultivate as security pros.

Oct 31

your passcode can take the fifth, but not your finger

By alberg law, worst practices Comments Off on your passcode can take the fifth, but not your finger

VA court gives tech savvy criminals the finger

Now, here is a head scratcher… a circuit court in Virginia has ruled that while law enforcement cannot force you to reveal the passcode for your mobile phone, they CAN force you to unlock your phone with a fingerprint, since a passcode requires you to divulge knowledge while a fingerprint is a form of physical evidence.  While this seemingly nonsensical decision is not binding on other courts, it can be used as precedent in future cases.  I guess the moral of the story is that you should disable TouchID on your iPhone before embarking on your life of mobile phone assisted crime.  Alternatively, you could reboot your iPhone as John Q Law closes in, since TouchID will not work until you have entered your passcode after a reboot.

Jul 13

lastpass security issues found and fixed

By alberg authentication, cloud computing Comments Off on lastpass security issues found and fixed

In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers.  He reported the problems to LastPass, who quickly remediated them.

One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site  – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack.  BookMarklets are only used if the browser in use does not support LastPass directly.

The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.

LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.

I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins.   The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.

There is a lesson to be learned for LastPass users, though.  The security of your account is as only as good as the master password you choose for your LastPass account.  Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.

I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion.  I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.

 

 

preload preload preload