Jun 25

The Practitioner’s Perspective on Cybersecurity – June 2015

By alberg best practices, CSO, deep thoughts Comments Off on The Practitioner’s Perspective on Cybersecurity – June 2015

On June 16th, 2015, I was privileged to participate in a panel entitled “The Practitioner’s Perspective on Cybersecurity” at the SmartBrief Cybersecurity forum, held at the New York Yacht Club.  At this event, co-sponsored by SIFMA, I and a panel of other financial services security professionals bloviated on the challenges facing us today.

Here is a 15 minute “highlights reel” from the panel…

And here is the full discussion, which ran approximately 45 minutes…

The participants were:

Al Berg, Chief Security and Risk Officer, Liquidnet Holdings Inc.
Robert Cornish, Chief Technology Officer and Chief Information Security Officer, International Securities Exchange (ISE)
Boaz Gelbord, Chief Information Security Officer, Bloomberg LP
George Rettas, Managing Director and Chief of Staff, Global Information Security Department – Information Protection Directorate, Citigroup
Moderator: Sean McMahon, Senior Finance Editor, SmartBrief

More videos from this event can be found here.

Jun 01

What should InfoSec people be doing?

By alberg CSO, deep thoughts Comments Off on What should InfoSec people be doing?

Every once in a while, I like to take a step back and look at just what it is that I as a Security and Risk professional am supposed to be doing for the people who seem to be regularly depositing money in to my bank account.  Sometimes, getting caught up in the day to day tasks of keeping my company off of page 1 of the Wall Street Journal clouds the bigger picture.  I sat down this weekend and gave this issue some thought and (at the risk of being accused of navel gazing) came up with the following thoughts on what we security people should be doing and why:

 

  • The purpose of the Information Security/Risk Management function is to protect the organization and its stakeholders while enabling it to achieve its business goals.  Information Security/Risk Management should not be the department that says “No,” it should be the department that says “Here’s how we can move forward – safely.”

 

  • Understanding the goals of the organization and the processes, procedures and products used to meet those goals is vital to the work of Information Security and Risk Management.  Every organization (and sometimes divisions within the organization) has a different risk appetite, leading to a unique set of policies, procedures and technologies.

 

  • The foundation of Information Security and Risk Management is the organization’s people and culture.  Technology certainly has a large role to play in building defenses, but a well educated and vigilant management team and work force (the “Human Firewall”) is the keystone of a successful information security program.  Management’s choices as to risk must be informed and the CSRO must provide them with the information needed to make the right decisions.

 

  • While “advanced persistent threats” and cutting edge attacks get a lot of press attention, most security breaches result from the organization’s failure to implement the boring, basic, but vital “Security 101” measures.

 

  • Information security as a practice has changed significantly in the past decade.  While once, we built moats and castle walls to keep the bad guys out of our networks, today we face attackers who can “parachute in” to an organization by taking control of an employee’s computer.  Perimeter controls are still necessary, but networks must be able to withstand an attack from within.

 

  •  The Information Security and Risk professional must always be learning – about their organization, their industry as well as about new risks, threat actors and defensive techniques.  Both the business and Security and Risk landscapes change daily and only by keeping pace with these changes can the Security and Risk professional remain relevant.
Feb 18

no, it’s not the end user’s fault

By alberg best practices, CSO, deep thoughts, malware, online security, social engineering Comments Off on no, it’s not the end user’s fault

No, you’re not.

According to a survey released by endpoint security solution vendor Bromium, 79 percent of surveyed information security professionals view end users as their “number 1 security risk.”

What security people need to understand is that the end users are not the problem.  The end users are our customers (and one of the main reasons we have jobs).  The problem arises from the increasing sophistication of attackers and their tools and ruses.  In the olden days (a couple of years ago), we could arm our users with easy ways to recognize and avoid phishing (hover on the link and see if it matches the text) and social engineering (no, the Nigerian prince does not want to give you his money).  Since then, the attackers have been getting better and better at their jobs.  They send very professional looking email and social media bait which is very hard to distinguish from legitimate emails.  They do their homework, mining social media for personal and business information to make their clickbait more convincing.  End users receive hundreds of emails every day and they just don’t have the time or expertise to always avoid the bad stuff.

I am still a big proponent of end user education and awareness – it will help users avoid the “low hanging fruit” type of attacks and for some users, it will provide them with clues which can raise their suspicions about more sophisticated attacks.  It has a great return on investment for just about every organization.

We have reached an inflection point in the “endpoint wars” – we need to provide users with solutions which are better at spotting and preventing the sophisticated attacks for them.  Organizations need to beef up their email security, adding things like pre delivery attachment analysis, real time checking of clicked urls at both the time of message delivery and user action and sandboxing tools (EMET is free and pretty effective).

End users are not stupid.  They simply have different priorities than security people and are trying to keep up with an ever expanding flow of information every day.  We have to step up our efforts to protect them, not call them a problem.  That’s what we get paid for.

Go hug an end user today.

Nov 01

racing the patch clock

By alberg best practices, CSO Comments Off on racing the patch clock

all too true, usually

When previously undisclosed vulnerabilities in the Drupal web content management system used by many large companies to manage their web sites were announced, hackers were busy exploiting those weaknesses within hours.  This incident highlights the bind that security people and system administrators are increasingly find themselves in – we need to patch critical vulnerabilities quickly to protect our systems from compromise, but rolling patches out without proper testing can also lead to downtime (witness Microsoft’s recent run of faulty security patches).    Having the skills to mitigate vulnerabilities while patches are tested and rolled out is a something we need to cultivate as security pros.

Apr 11

Keep your users informed with SANS’ OUCH! newsletter

By alberg awareness, best practices, CSO Comments Off on Keep your users informed with SANS’ OUCH! newsletter

 

SANS recently published the latest edition of their “OUCH!” security newsletter for end users – this month’s topic is Yes – You Actually ARE a Target! – something that we usually have to remind users about on a regular basis, in spite of the regular coverage of hacks, data breaches and other cyber shenanigans which are always afoot these days.

OUCH is a good (and free) resource to augment your organization’s Security Awareness efforts.

SANS OUCH Newsletter

www.securingthehuman.org 

Oct 04

more iPhone fingerprint issues

By alberg authentication, CSO, hacks, worst practices Comments Off on more iPhone fingerprint issues

Another attack on the iPhone 5s TouchID sensor… a German security firm has claimed to be able to use an iPhone 4s camera to grab a fingerprint image and then make that image into a fake finger mold.  It still takes a bit of effort, but one barrier to entry (hi res camera) has been removed.

In addition, the same company claims to have defeated the Activation Lock feature which cripples lost/stolen phones by:

Getting a good photo of the target’s fingerprint

Making a fake finger mold

Putting the device into airplane mode

Going to another computer and requesting a password reset on the target’s Apple ID

Unlocking the phone with the fake fingerprint

Turning airplane mode off just long enough to receive the password reset email and resetting the password on the account.

Once this is done, the attacker would have the ability to unlock the phone.  The key to this attack is getting the phone into airplane mode, which can be done from the lock screen if Siri and/or the Control Center are enabled on the Lock Screen.  I would again recommend that 5s users turn off access to Siri and Control Center from the Lock Screen.

The same webpage includes a video showing the fake fingerprint technique used successfully on another phone as well as on a Lenovo laptop.

It is starting to look like fingerprint based authentication on corporate/consumer devices is still a work in progress and CISOs in organizations with BYOD policies need to do a risk analysis to determine whether the convenience of fingerprint authentication is outweighed by the potential risks.  This is not a “one size fits all” calculation and really depends on the profile of your attackers.  For some organizations, this is easy – I would hope that a defense contractor targeted by nation states would not use fingerprint authentication.  For small businesses or consumers who are mostly concerned with device loss and non targeted theft, fingerprints may be good enough (especially if devices were not protected with passcodes in the past.  Unfortunately most businesses fall somewhere in the middle of these two cases.

PS – One small positive item I left out from my previous posts on this topic… if you power off your 5s altogether or have not authenticated to the phone for 48 hours, you will be required to enter your passcode to access the phone.

Jul 12

japan cloud oopsie reveals confidential treaty data

By alberg cloud computing, CSO, worst practices Comments Off on japan cloud oopsie reveals confidential treaty data

A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable.  Cloud computing is here to stay folks and governments, companies  and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud.   IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.

Feb 24

attackers are doing their homework – are you?

By alberg best practices, CSO, hacks, malware, privacy Comments Off on attackers are doing their homework – are you?

Some spear phishing wisdom from Security BSides SFO today…

Rohyt Belani of PhishMe told an interesting story highlighting just how much research attackers do when choosing their targets and crafting spear phishing payloads. In an attack on an energy company, employees received an email appearing to be from the company’s HR department offering information on discounted health care premiums for employees with more than 3 children. The only employees to receive the message? The two people at the company with 4 or more children.

This raises two issues for InfoSec professionals…

First, the attackers are doing their homework, people. They are taking the time to craft their social engineering payloads in ways that target very specific targets. This means (IMHO) that they are extremely motivated – most probably by money or ideology.

Second, our coworkers are helping the attackers with their targeting by sharing all sorts of personal information via social networking platforms. We need to educate them about:

+ The fact that their social media profiles are visible not only to friends and family, but also bad guys who will use that information to craft their attacks. The “familiarity cues” which we tend to use to determine whether a message or request is from a friend or a foe just don’t work anymore.

+ Their ability to control who sees their social networking information by using the privacy features offered by Facebook, LinkedIn, and to a lesser extent, Twitter. They need to think about what they are posting and who will see it – not only to protect the company, but to protect the privacy of themselves and their families.

While we put all sorts of technical solutions in place to protect our systems and information from malware, our users are the front line defense against the most serious threats we face. Educating them to be aware of how their actions both inside and outside the office affect the organization’s security is one of the most important tasks we face as InfoSec professionals.

Jan 21

java: threat or menace?

By alberg best practices, CSO, hacks Comments Off on java: threat or menace?

Too much Java can make you cranky…

It has been a pretty bad few weeks for Oracle’s Java language – zero day vulns, followed by an out of band patch, with another serving of zero days to top things off.   “Uninstall Java – it is dangerous at any speed!” was the message from some security experts.

The things that make Java attractive to web app developers (it’s cross platform compatibility and pretty ubiquitous distribution) are the same things that make it such an attractive target for malware authors.  Add to that a seemingly endless supply of critical security vulnerabilities, and you have a recipe for big trouble.

I have pretty much had it up to here (my hand is at neck level) with Java as a web plugin and would love to just uninstall the whole bug infested mess from my users’ computers at the office.  (Of course I could say the same thing about Flash)  However, some pretty critical parts of our business rely on Java web apps to bring in revenue (some of which goes to pay my salary – nuff said).  So, I had to get a bit clever in coming up with a defensive strategy.

After looking at my web proxy logs, I determined that Java usage at my firm pretty much fell into two buckets:  a small number of business related apps from trusted business partners and a whole bunch of totally non business related apps accessed during recreational surfing.  This made my job pretty easy… I figured out where the business apps came from and created a whitelist.  Then I set the web filter to block all .jar and .class file downloads from other locations.  In the two or so weeks that this policy has been in place, I have gotten exactly one request to whitelist a new jar file.  The result?  A much reduced attack surface for the company.  My users seem to be OK with the new policies, which I explained in an email blast.

Yes, we will continue to update our Java Runtime Environments – after all, there could be some locally installed software which needs the JRE and using the latest and greatest versions is just good practice.  And we’ll continue to implement other good practices (getting rid of unused software, keeping an eye on our log files and network traffic, keeping patches and fixes up to date and the like).

While I can’t say that we are totally protected from Java based attacks, I do feel that we have struck a pretty good balance between security and the need to let the business do business on this one.

 

 

Tagged with:
Oct 14

NLRB continues push to regulate social media in non union companies

By alberg CSO, law, worst practices Comments Off on NLRB continues push to regulate social media in non union companies

No union? No problem…

It seems that the National Labor Relations Board (NLRB) is continuing to extend its push into the regulation of social media in non unionized work places.  According to this Morgan Lewis LawFlash, two recent cases (which may end up in the appellate courts) continue the Board’s assault on workplace social media confidentiality policies.

In the first case, involving Costco, the NLRB found that a whole section of the firm’s social media policy dealing with prohibition of posting confidential information to social media platforms was rendered invalid because it included a ban on posting “payroll information,” which the NLRB felt pertains to protected activity under section 8(a)(1) of the Labor Relations Act.

The second case, involving an auto dealer named Knauz, struck down the employer’s social media policy based on the following language:

[c]ourtesy is the responsibility of every employee. Everyone is expected to be courteous, polite and friendly to our customers, vendors and suppliers, as well as to their fellow employees. No one should be disrespectful or use profanity or any other language which injures the image or reputation of the Dealership.

The Board felt that the language would discourage employees from using social media for activities covered under section 7 of the Labor Relations Act, such as organizing a union or having discussions about work conditions.

The lesson?  Make sure that your company’s Social Media policy passes muster with your legal team – and make sure your legal team knows about what the NLRB has been up to in this area.  Social media has the potential to be an exfiltration vector for your organization’s confidential information; you don’t want to end up with a policy which is thrown out when you need it most.

 

 

preload preload preload