Category Archives: Opinion

Don’t let it happen to you

This is a time of year when we reflect on our personal and professional lives, and think about the coming years and what we want to accomplish. I’ve been thinking about this over the past couple of days… yesterday, an important news story about the 2013 Target security breach was published. The article states that Judge Paul A. Magnuson of the Minnesota District Court has ruled that Target was negligent in the massive 2013 holiday shopping season data breach. As such, banks and other financial institutions can pursue compensation via class-action lawsuits. Judge Magnuson said, “Although the third-party hackers’ activities caused harm, Target played a key role in allowing the harm to occur.” I have provided a link to the article at the end of this message.

Clearly, this is really bad news for Target. This legal ruling may have a chilling effect on other merchant and retail organizations.

I don’t want you to experience what Target is going through. I changed jobs at the beginning of 2014 to help as many organizations as possible avoid major breaches that could cause irreparable damage. If you have a security supplier and service provider that is helping you, great. If you fear that your organization may be in the news someday because you know your security is deficient (or you just don’t know), we can help in many ways.

I hope you have a joyous holiday season, and that you start 2015 without living in fear.

http://www.infosecurity-magazine.com/news/target-ruled-negligent-in-holiday/

Padding Your Resume

It’s a popular notion that everyone embellishes their resume to some extent. Yes, there is probably some truth to that statement. Now and then we hear a news story about people “padding their resumes”, and once in a while we hear a story about some industry or civic leader who is compelled to resign their position because they don’t have that diploma they claimed to have on their resume.

Your resume needs to be truthful. In the information security profession, the nature of our responsibility and our codes of ethics require a high standard of professional integrity. More than in many other professions, we should not ever stretch the truth on our resume, or in any other written statements about ourselves. Not even a little bit. Those “little white lies” will haunt us relentlessly, and the cost could be even higher if we are found out.

- first draft excerpt from Getting An Information Security Job For Dummies

iOS Apps That Improve My Professional Life

I rarely write publicly about apps I use on my iPhone and iPad, but there are a few I have been raving about with my colleagues and clients lately.

1. Sleep Cycle

sc1This is a unique alarm clock that tracks my sleep quality. It uses the iPhone’s motion sensors to track whether I’m tossing and turning, or sleeping more soundly.  But my favorite feature is the intelligent wake-up alarm that gently wakes me up when my sleep is shallower.  How it works: say that I want my alarm to go off at 6:00am; sleep cycle will monitor my sleep “depth” for the 20 minutes (configurable) prior to 6am and awaken me when I’m almost awake anyway.  The result: since starting to use Sleep Cycle three months ago, I have not been shocked out of a deep sleep by my alarm. Instead, I’m nudged awake and, as the first thing I experience during the day, it makes for a better day.

2. Waze

w1This is the navigation app that sort of “crowdsources” traffic conditions and hazards. Like Google Maps, it speaks turn by turn directions to my destination. But where it’s different: Waze is aware of the speeds of other drivers on my route, and if traffic suddenly slows (on the interstate as well as on city streets and country roads), Waze will navigate me around it.

Another cool feature: if there is a hazard ahead (accident, vehicle in road, vehicle on shoulder, debris), Waze will warn me with remarkable accuracy.  How this works: as you are traveling your route, if you see one of these, two or three taps will mark the hazard and warn others behind you.  When the hazard is gone, you just tap “not there” and drivers behind you won’t be warned.

Another nice feature for me is that the turn by turn directions can be transmitted via Bluetooth to my so-equipped motorcycle helmet, with my iPhone in my jacket pocket. I get turn by turn directions in audio only, and I can still find my way to a new client location in nice weather when I’m motorcycling.

3. Uber

Perfect for my business travel. I really don’t need to say any more.

4. Urban Spoon

As a frus1equent business traveler, I’m often trying new restaurants and looking for something new for internal or client dinners. You can filter by cuisine, distance, rating, cost, or just randomly select someplace nearby if you are feeling adventurous.

The security breaches continue

As of Tuesday, September 2, 2014, Home Depot was the latest merchant to announce a potential security breach.

Any more, this means intruders have stolen credit card numbers from its POS (point of sale) systems. The details have yet to be revealed.

If there is any silver lining for Home Depot, it’s the likelihood that another large merchant will probably soon announce its own breach.  But one thing that’s going to be interesting with Home Depot is how they handle the breach, and whether their CEO, CIO, and CISO/CSO (if they have a CISO/CSO) manage to keep their jobs. Recall that Target’s CEO and CIO lost their jobs over the late 2013 Target breach.

Merchants are in trouble. Aging technologies, some related to the continued use of magnetic stripe credit cards, are making it easier for intruders to steal credit card numbers from merchant POS systems.  Chip-and-PIN cards are coming (they’ve been in Europe for years), but they will not make breaches like this a thing of the past; rather, organized criminal organizations, which have made a lot of money from recent break-ins, are developing more advanced technologies like the memory scraping malware that was allegedly used in the Target breach. You can be sure that there will be further improvements on the part of criminal organizations and their advanced malware.

A promising development is the practice of encrypting card numbers in the hardware of the card reader, instead of in the POS system software.  But even this is not wholly secure: companies that manufacture this hardware will themselves be attacked, in the hopes that intruders will be able to steal the secrets of this encryption and exploit it. In case this sounds like science fiction, remember the RSA breach that was very similar.

The cat-and-mouse game continues.

Internal Network Access: We’re Doing It Wrong

A fundamental design flaw in network design and access management gives malware an open door into organizations.

Run the information technology clock back to the early 1980s, when universities and businesses began implementing local area networks. We connected ThinNet or ThickNet cabling to our servers and workstations and built the first local area networks, using a number of framing technologies – primarily Ethernet.

By design, Ethernet is a shared medium technology, which means that all stations on a local area network are able to communicate freely with one another. Whether devices called “hubs” were used, or if stations were strung together like Christmas tree lights, the result was the same: a completely open network with no access restrictions at the network level.

Fast forward a few years, when network switches began to replace hubs. Networks were a little more efficient, but the access model was unchanged – and remains so to this day. The bottom line:

Every workstation has the ability to communicate with every other workstation on all protocols.

This is wrong. This principle of open internal networks goes against the grain of the most important access control principle: deny access except when explicitly required. With today’s internal networks, there is no denial at all!

What I’m not talking about here is the junction between workstation networks and data center networks. Many organizations have introduced access control, primarily in the form of firewalls, and less often in the form of user-level authentication, so that internal data centers and other server networks are no longer a part of the open workstation network. That represents real progress, although many organizations have not yet made this step. But this is not the central point of this article, so let’s get back to it.

There are two reasons why today’s internal networks should not be wide open like most are now. The first reason is that it facilitates internal resource sharing. Most organizations have policy that prohibits individual workstations from being used to share resources with others. For instance, users can set up file shares and also share their directly-connected printers to other users. The main reason this is not a great idea is that these internal workstations contribute to the Shadow-IT problem by becoming non-sanctioned resources.

The main objection to open internal networks is that they facilitate the lateral movement of malware and intruders. For fifteen years or more, tens of thousands of organizations have been compromised by malware that self-propagates through internal networks. Worms such as Code Red, Nimda, Slammer, and Blaster scan internal networks to find other opportunities to infect internal systems. Attackers who successfully install RATs (remote access Trojans) on victim computers can scan local networks to enumerate internal networks and select additional targets. Today’s internal networks are doing nothing to stop these techniques.

The model of wide-open access needs to be inverted, so that the following rules of network access are implemented:

  1. Workstations have no network access with each other.
  2. Workstations have access ONLY to servers and services as required.

This should be the new default; this precisely follows the access control principle of deny all except that which is specifically required.

Twenty years ago, this would have meant that all workstation traffic would need to traverse firewalls that would made pass or no-pass decisions. However, in my opinion, network switches themselves are the right place to enact this type of access control.

Why wait for a security breach to improve security?

Neiman Marcus is the victim of a security breach. Neiman Marcus provided a statement to journalist Brian Krebs:

Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorised payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.

We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensic firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result.

We have begun to contain the intrusion and have taken significant steps to further enhance information security.

The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.

I want to focus on one of Neiman Marcus’ statements:

We have … taken significant steps to further enhance information security.

Why do companies wait for a disaster to occur before making improvements that could have prevented the incident – saving the organization and its customers untold hours of lost productivity? Had Neiman Marcus taken these steps earlier,  the breach might not have occurred.  Or so we think.

Why do organizations wait until a security incident occurs before taking more aggressive steps to protect information?

  1. They don’t think it will happen to them. Often, an organization eyes a peer that suffered a breach and thinks, their security and operations are sloppy and they had it coming. But alas, those in an organization who think their security and operations are not sloppy are probably not familiar with their security and operations. In most organizations, security and systems are just barely good enough to get by. That’s human nature.
  2. Security costs too much. To them I say, “If you think prevention is expensive, have you priced incident response lately?”
  3. We’ll fix things later. Sure – only if someone is holding it over your head (like a payment processor pushing a merchant or service provider towards PCI compliance). That particular form of “later” never comes. Kicking the can down the road doesn’t solve the problem.

It is human nature to believe that another’s misfortunes can’t happen to us. Until it does.

Why there will always be security breaches

At the time of this writing, the Target breach is in the news, and the magnitude of the Target breach has jumped from 40 million to as high as 110 million.

More recently, we’re now hearing about a breach of Neiman Marcus.

Of course, another retailer will be the next victim.  It is not so important to know who that will be, but why.

Retailers are like herds of gazelles on the African plain, and cybercriminals are the lions who devour them.

As lions stalk their prey, sometimes they choose their victim early and target them. At other times, lions run into the herd and find a target of opportunity: one that is a little slower than the rest, or one that makes a mistake and becomes more vulnerable. The slow, sick ones are easy targets, but the healthy, fatter ones are more rewarding targets.

As long as their are lions and gazelles, there will always be victims.

As long as there are retailers that store, process, or transmit valuable data, there will always be cybercriminals that attempt to steal that data.