Nov 30

als, bls, cissp

By alberg deep thoughts, systemic risk Comments Off

Those of you who have the misfortune to know me personally know that information security is but one piece of the pie that is Al Berg.  (mmmm…. pie…)  On Friday nights, I swap my desk for an ambulance of the Weehawken Volunteer First Aid Squad where I am an Emergency Medical Technician.  Most of the time, these two parts of my life don’t really intersect, but this week, I saw something that seems to bridge the gap.

So, there are two different kinds of ambulances here in the US.  BLS (Basic Life Support) rigs are staffed by EMTs who are trained in basic life support techniques focused on airway, breathing and circulation.  EMTs do not administer drugs – we cannot even give you a Tylenol for pain.  If you are unfortunate enough to be meeting us on a day when you are having a cardiac arrest, we will do CPR, give you oxygen and maybe zap you with a automated defibrillator.  We’ll also call for our ALS (Advanced Life Support) colleagues – the paramedics – to respond and give you the advanced monitoring and interventions (EKG, intubation, intravenous drugs, and the like) that we can’t.

As an EMT, I am always happy to have paramedics on any call, especially a cardiac arrest, so I was really surprised to read an article this week which described a study published in the Journal of the American Medical Association which found:

90 days after hospitalization, patients treated in BLS ambulances were 50 percent more likely to survive than their counterparts treated with ALS. The basic version was also “associated with better neurological functioning among hospitalized patients, with fewer incidents of coma, vegetative state or brain trauma.”

Now, to be clear, your chances of surviving an out of hospital cardiac arrest are pretty lousy… 9 out of 10 patients who ‘code’ in the field will not survive to hospital discharge.  CPR works way better on TV than it does in real life.

Anyway, while I am a bit skeptical of this study’s results, it does seem to me that there is a bit of an information security aspect to this.  Time and again we hear of companies who have spent big on flashy technology still getting owned by hackers.  For example, Target had purchased advanced anti malware defenses from FireEye as well as outsourced monitoring for those defenses.  According to reports, the people and tech detected the bad guys, but failing to do “information security BLS” by examining the systems which were showing signs of trouble sealed Target’s place on the front page.

There are a lot of “information security BLS” measures that don’t use flashy technology or wheelbarrows of money that we can take to protect our systems:

  • Documented policies and procedures
  • Least privilege for user accounts
  • Segmentation of internal networks
  • Applying security patches and updates in a timely fashion
  • Security awareness training
  • Sharing information with other organizations

These (and many other) “information security BLS” interventions go a long way towards keeping hackers away from corporate data.  They aren’t complicated, and you don’t need to buy all sorts of blinkie light boxes to implement them.  Yet, time and again, companies fail to pay enough attention to them.  Part of the problem is that infosec professionals want to get hands on with the latest technology and doing some of these low tech interventions requires serious time and planning to avoid negative impacts to the business.

So, my resolution for 2015 is to take another look at the Council on CyberSecurity’s Critical Security Controls list and make sure my organization is doing everything we can to implement them.   As an industry we need to make sure we are doing the BLS interventions right and apply the ALS level security-fu when it is needed.

Apr 30

Interesting blog post from Graham Cluley on LastPass’ support for using the Galaxy S5’s fingerprint reader as the key to your password vault.   Since the S5’s fingerprint reader has been shown to be vulnerable to low sophistication fake fingerprint attacks, he wonders whether this (admittedly) very convenient feature is worth the risk.   As a LastPass user, I don’t think I would base the security of the keys to my entire digital life on this particular piece of hardware.  However, this does beg the question – is the low but non zero risk of someone getting hold of your phone and fingerprint exceed the risk of using the same damn password on every site you visit?  LastPass also offers a mitigation for this scenario – it is possible to specifically permission which mobile devices can access your account.  If you phone is lost or stolen, it is possible to revoke that permission (if you notice the loss or theft quickly enough).  This is a risk calculation that users will have to make for themselves.

Apr 18

is the news toxic?

By alberg deep thoughts Comments Off

Your friendly neighborhood pusher?

 

This is a really well written critique of our addiction to the news.  According to the author, “News is bad for your health. It leads to fear and aggression, and hinders your creativity and ability to think deeply. The solution? Stop consuming it altogether.”

For me, this is one of those cases where I totally and emphatically agree with the writer, but can’t even picture taking his advice.  I guess that I truly am a news junkie.

Feb 26

An interesting thought from Adi Shamir at #RSAC Cryptographers Panel… Cryptography has been becoming **less** important over the last few years. When you wanted to know Napoleon’s plans, you put a spy next to him. When you wanted to know Hitler’s plans, you eavesdropped on his comms. Today, spies are moving towards use of advanced persistent threats, which sit inside of the organization, and get/exfiltrate data before encryption happens. We need to start thinking about how to hide the important information from the APTs which are already in the organization.

Aug 14

sharks versus cows

By alberg CSO, deep thoughts Comments Off

OK – what are you more afraid of – sharks or cows?  Well, according to the folks at Popular Mechanics (via blog Boing Boing), it is the crazed bovine death machines which are the real threat:

Between 2003 and 2008, 108 people died from cattle-induced injuries across the United States, according to the Centers for Disease Control and Prevention. That’s 27 times the whopping four people killed in shark attacks in the United States during the same time period, according to the International Shark Attack File.

It seems to me that information security risks are a lot like sharks and cows.  We infosec professionals love to talk about, hunt and defend against sharks, like zero-day vulnerabilities, state sponsored cyber-weapons, and other exotic threats.  However, it is the cows of the infosec world, like unpatched software, misconfigured systems and devices, human errors, and users falling for malware laden links or emails, that are much more likely to result in a system compromise.

When making decisions about where to put our  limited infosec funds and resources, we need to decide whether the threat we are defending against is a shark or a cow.  Let’s take care of the cows first – before they take care of us.  Then we can have some fun and hunt the sharks!

 

 

May 01

According to a recent study by security firm Symantec, you are far more likely to encounter malware when visiting religious web sites than when visiting, ahem, adult sites.   In an article describing the finding, Network World had this to say:

Symantec found that the average number of security threats on religious sites was around 115, while adult sites only carried around 25 threats per site–a particularly notable discrepancy considering that there are vastly more pornographic sites than religious ones. Also, only 2.4 percent of adult sites were found to be infected with malware, compared to 20 percent of blogs.

In (related?) news, the University of British Columbia reported a study showing that encouraging people to use their analytic thinking skills causes a reduction in religious belief, even in pious persons.  Unfortunately, the study did not touch on whether the reduction in superstition was tied to increased use of, ahem, adult sites.

 

Oct 17

According to LieSpotting author Pamela Meyer, we live in a sea of deception, lying and being lied to dozens if not hundreds of times per day.  However, you can learn to spot liars and get to the truth.  She explains some of the statistics on lying as well as techniques to spot lies in this 20 minute TED talk.  Worth a viewing for all Paranoid Peeps.

Oct 04

elephant repellent

By alberg CSO, deep thoughts Comments Off

An elephant, a mouse, or a ghost?

Sometimes I feel like I’m selling elephant repellent:

I identify a particular species of elephant (for example, compromise of our networks due to spearphish delivered email).

I find examples of this particular elephant showing up on the networks of similar organizations.

I try to calculate the damage which said elephant would cause (which nearly always includes hard to quantify types of damage to things like “reputation” and “trust.”)

I run some tests to show that, yes, some of our users would in fact happily open the gates of the village to this particular elephant by clicking on just about any link emailed to them.

I then look for some sort of elephant repellent – a policy, a procedure, education, some technology or a combination of the above to keep said pachyderm from rampaging through our village.

Of course, elephant repellent is not free… there is a cost in productivity, usability, share of user attention, or cold hard cash. If the risk to cost ratio seems right, I take action, spraying elephant repellent all around the village. Time passes. No elephants show up, I proudly announce the success of this particular elephant repellent and start looking for the next elephant to repel. Of course, the question remains as to whether the lack of elephantine activity in the village is due to the repellent, well, repelling or whether the elephants never would have shown up at the village gates in the first place. (or whether the elephants will get clever and will show up next week and trample the place in spite of my efforts)

Elephants come in a variety of sizes. Some of them can rampage through the village and leave a wide path of destruction. Other elephants sound scary, but end up being more mouse like in their impact. If you ring the elephant alarm every day, the villagers (in particular, the village elders) are going to pay less attention as time goes on. Elephants are also unpredictable – sometimes they show up, other times, they pass your village by and trample the village next door. You gotta pick your elephants. I guess that is part of the “art” side of infosec (anticipating howls of protest from the quantitative guys on this).

At least Infosec people don’t usually have to deal with elephants which kill people – let’s say, a devastating earthquake. The stakes are, of course, very high in these cases and the village elders can get very angry when these elephants make it through the village gates. In fact, six seismologists and a government official are currently on trial for manslaughter in Italy for failing to predict an earthquake which struck the L’Aquila region in April, 2009. Yes, you read that right… While this episode may be an outlier, it does point out the rising expectations of all sorts of village elders (both corporate and governmental) as to the risk experts’ ability to make very accurate predictions of risks – expectations which may not be possible to achieve. Call it the “CSI effect” – we are used to seeing all sorts of cool technology providing definite answers to questions and we have come to expect that all questions can be answered in this way.

We as Infosec professionals have to strike a balance between the quantitative and qualitative approaches to choosing which elephants to worry about. To add to the problem, some of us (particularly in highly regulated industries like finance) are given a set of elephants which we must repel by regulators and other stakeholders. These “default elephants” may pose less risk to the village than other, less famous, elephants, but we have to divert resources (and repellent) to deal with them in order to stay in business.

So… the takeaway? We need to share best practices for spotting, measuring and evaluating risk from both a qualitative and quantitative point of view. Organizations like the FS-ISAC (and other industry ISACS) where we can share information in confidence with our peers are a great place to do this. We need to up the level of information sharing in these fora – while it is great to get lists of bad IP addresses and URLs, I’d also like to see more (anonymous) sharing of stories about risks and repellents. The more people looking at the elephant and reporting on what it did when it visited their villages the better picture we can put together.

Aug 15

The latest in anti censorship tech

When I read about Telex, a research project aimed at making it easier to get past Internet censorship, my “split personality” – lover of freedom and justice versus corporate security guy kicked in right away.  You see, if widely implemented, Telex would make it much easier and safer for people living under repressive regimes to get past said regimes’ censorship of the Internets.  Built on client software, some clever crypto in packet headers and servers hosted by friendly ISPs, Telex would turn the idea of a proxy server inside out, effectively making the entire Internet (it’s a series of tubes, you know) one big proxy.

This would be really great – I would love to see the US government as well as non profit organizations host Telex servers to allow people in China, the middle east, and other places where freedom of expression is curtailed… however, Telex would also make my job as a security professional that much more difficult.  By installing a Telex client, the users on my corporate network might be able to bypass the web filtering we have put in place.  While some of that filtering is aimed at keeping people away from “non work appropriate sites,” there are other reasons to filter Internet access in the workplace as well.  For example, we block access to sites known to host malware.  We block access to sites which would put us in violation of various legal and regulatory mandates.  These are all legitimate things to do in a corporate environment, and our employees have unfettered access to the Internet outside of the office.  Employees using a system like Telex would put our company at risk.

Telex is stil in the proof of concept stage and there needs to be a lot more software and infrastructure development done before it can be a reality on a large scale. As I said, I am 1000% pro Telex as a tool for people to bypass repressive regimes’ Internet censorship.  But I think that corporate Internet censorship (hate that word) is another kettle of fish altogether and we security professionals need to keep an eye on Telex and similar technologies.  I feel like I should be dressing like these guys after writing this…

 

Aug 13

Are Tweets, BBMs, or Facebook updates weapons of mass mayhem?

OK… I have no problem with police departments (such as those in New York City and London) setting up units to look  at (public) social media sites for signs of impending lawbreaking, whether it be morons rioting, morons flash-robbing, or morons planning other mayhem.  More power to them… I think that if you tweet or Facebook your nefarious plans for the world to see, you should have an additional count of felony stupidity added to your charge sheet.  I also have no problem with the authorities turning off communications facilities when there is a credible and imminent threat to life and limb, such as the possibility of a cell phone triggered improvised explosive device.  But, when I first read about the Bay Area Rapid Transit (BART) police’s move this past Thursday evening rush hour when they disabled cellphone communications on the underground portions of the BART system, I felt very uncomfortable.  This sounds like something that repressive regimes like Egypt, Syria, or Libya would do to their people, not something which could happen in the US.  Then I read BART’s statement about the cellular interruption and got to thinking:

Organizers planning to disrupt BART service on August 11, 2011 stated they would use mobile devices to coordinate their disruptive activities and communicate about the location and number of BART Police. A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators. BART temporarily interrupted service at select BART stations as one of many tactics to ensure the safety of everyone on the platform.

You can find the full statement here.

First of all, BART probably broke the law by doing this.  It is against federal law to interfere with licensed wireless communications.  Even prisons (which, in my opinion should be able to operate cellphone jammers) have been prevented from doing so in the past.  (Yes, I know that BART did not jam the signals, they simply shut down existing cell sites – the result was the same, though).

Now, depending on what kind of information BART had, there may have been a (morally) acceptable reason for taking action.  For example, if the information was very clear in stating that the types and methods of protests were aimed at inducing overcrowding on platforms (a situation dangerous to life and limb) and there was reason to believe that the threat was credible and imminent, I might have been tempted to make the same decision.  But there are some other factors to consider (apart from the legal issue).

First and foremost, what about people already on the BART system who might need access to 9-1-1?  Well, the NYC subway system has no cell service on its underground portion (thankfully) and manages to have a mechanism (call boxes) for getting help in an emergency.  I assume BART is similarly equipped, so the cell service failure did not totally isolate riders from help.  Yes, had someone been on the phone with 9-1-1, their call would have been interrupted, but they could then resort to the call box – not ideal, but workable.

Second… if BART management felt the threat to be credible and that mobile devices were an integral part of the threat, they really only had two choices – shut down cellular service, or shut down stations where they felt the threat was greatest.  The latter option is not a perfect solution (the protestors would just regroup via Twitter) and would inconvenience thousands of innocent commuters.

We are just not yet equipped to make decisions like this and we need to be.

My takeaways from this:

Mobile devices and social media pose new challenges to law enforcement and new potential dangers to the public (as last week’s riots in London seem to have demonstrated).  Getting a mob together and coordinating their actions is a lot easier than it used to be and law enforcement needs tools to deal with this problem in a way which preserves public order but which also respects the rights of the people to peacefully assemble and protest.  This is not an issue to be left to local police departments – we need to do this at the federal level as it is a constitutional issue.

If we decide to allow law enforcement to disrupt communications to preserve public order, we need to have strict standards as to what constitutes a serious and imminent threat to public order and there must be a process to publicly review any such decision after the fact – and consequences for those who make the wrong decision.  The body that makes the (very quick) decision to pull the plug needs to have both law enforcement and civilian members (maybe a constitutional lawyer?).

Other risks need to be considered – for example, using a bunch of social media bots, a miscreant could create a denial of service attack on communications by creating a “virtual” flash mob that exists only in cyberspace, but looks big and scary.  In addition to inconveniencing the public, such an attack could be used as an aid to committing other types of crime.  If these fake flash mobs were to become a regular event, public support for anti flash mob measures could dwindle, leaving us where we are today.

Hopefully our elected officials will take some time out from serving their special interest masters, playing party politics, destroying the economy, and all of the important work that they love so much to take a look at an important issue in a rational way.  Oh, wait…

 

preload preload preload