Archive

Archive for the ‘Cybersecurity’ Category

Stratigos CEO presents at Digital Biomarkers & Digital Measurements Summit

November 17, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, delivered a presentation and joined a panel discussion at the Digital Biomarkers & Digital Measurements Summit today. The session focused on evaluating biomarkers, measurements, and sensors, with Beau’s presentation concentrating on the topics of cybersecurity, and data rights and governance.

Stratigos CEO speaks at UCCS Ethics in Cybersecurity event

November 13, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was invited to deliver the closing “call to action” at the University of Colorado Colorado Springs Ethics in Cybersecurity event today. The event brought together high school and college students, as well as others from academia, industry, and government, with the goal of surfacing and analyzing real-world ethical challenges across the broad cybersecurity field, from military operations to vulnerability disclosure to data breaches.

The call to action focused on the power of independent volunteers to address increasingly challenging issues in cybersecurity, such as through initiatives like I Am The Cavalry and the CTI League.

Stratigos CEO lectures at CU Boulder Entrepreneurial Policy Academy

November 12, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, delivered a lecture today at the Entrepreneurial Policy Academy, a joint undertaking by Silicon Flatirons at CU Boulder’s Law School, Startup Colorado, and Telluride Foundation. The presentation draws on Beau’s experience engaging in public policy at the state, federal, and international level, and will be made available as open courseware by the University.

Stratigos CEO keynotes H-ISAC Medical Device Security Workshop

November 1, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was invited to keynote the Health Information Sharing and Analysis Center (H-ISAC) Medical Device Security Workshop, on October 29, 2020. The event brought together representatives from healthcare providers, medical device makers, and the security research community.

Beau’s keynote focused on the need to work together collaboratively, in the face of a society that sees itself more divided than ever, facing many of its hardest challenges in living memory. The full script of this talk is available below.

Read more…

Stratigos CEO quoted in Washington Post on Cybersecurity Awareness Month

October 2, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was mentioned in a Washington Post story, Americans are as insecure as ever on the 17th annual Cybersecurity Awareness month.

“Awareness is the first step along a path towards fully addressing issues caused by cybersecurity failures. Perhaps it’s time to take the next step toward catalyzing action.”

Beau Woods, Founder and CEO

Stratigos CEO featured in RSA Conference video interview

October 1, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was featured in a video interview with RSA Conference organizer, Cecilia Marnier. Beau and Cecilia discussed supply chain impacts from the recent ransomware attack against CMA-CGM, as well as other types of cyber supply chain risks.

Stratigos CEO featured in RSA Conference video interview

September 30, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was featured in a video interview with RSA Conference organizer, Cecilia Marnier. Beau and Cecilia talked about the recent security incident at Universal Health Services that left many of their facilities offline.

Stratigos CEO joins Council on Foreign Relations panel

January 17, 2019 Comments off

Stratigos Security Founder and CEO, Beau Woods, joined a panel discussion at the Council on Foreign Relations, titled Hacking and the Internet of Things. Woods appeared alongside Niloofar Razi Howe, Former Global Chief Strategy Officer, RSA Security LLC, and Robert K. Knake, formerly with the US National Security Council, moderated by Craig Timberg, National Technology Reporter, Washington Post.

Stratigos CEO featured in Council on Foreign Relations podcast

June 2, 2017 Comments off

Stratigos Security Founder and CEO, Beau Woods, sat down for a podcast with Micah Zenko, from the Council on Foreign Relations. Listen now: The Need for New Cyber Thinking: A Conversation with Beau Woods

Top Technical Mitigation Strategies (from the Australian DSD)

June 2, 2015 Comments off

There are few solid pieces of empirical evidence on what works in security. The Australian Defense Signals Directorate (DSD) Strategies to Mitigate Targeted Cyber Intrusions is one of those. We at Stratigos Security think a lot of what they do. So does just about everybody else who has come into contact with the documentation.

This post examines some of the assumptions, implications, and a conceptual framework to better understand the document. Let’s start with some of the stated background and assumptions.

  • Investigation based – That the mitigations are a result of analysis of investigations carried out by the DSD, primarily in the government sector.
  • Adversary focused – That the mitigations are meant to counter adversarial attack.
  • Targeted attacks – That the adversaries are motivated to target the victim organization, specifically.
  • High value information – That the adversaries’ objective is to steal intellectual property, national defense secrets, or other highly sensitive documents.
  • Exhaustive application of mitigations – That mitigations will be applied to 100% of systems, not just a subset.

There are 35 total mitigations listed, almost all of which are specific technical controls. At Stratigos Security we tend to like to bundle technical controls into a higher level framework. This is more digestible for our clients, and allows for a better understanding of why these mitigations work. That’s the key to long-term success in design, implementation, operation, and maintenance of a security program.

Stratigos has aligned most of these mitigations into a few core objectives. In doing so, we seek to harmonize them so each builds on the others. The set works together much better than the sum of each of the individual ones. Our objectives are as follows, as well as examples of mitigations from the DSD document.

  1. Execute only trusted code – Authorized software packages, components, and functions are defined and enforced.
    • Whitelisting
    • User application configuration hardening
    • Restrict administrative privilege
    • Workstation and server configuration management
  2. Ensure code is trustworthy – Software is free from known defects.
    • Patch applications
    • Patch Operating System vulnerabilities
  3. Ensure trusted input – Information and commands are legitimate, meaningful, and non-malicious.
    • Host and network firewall
    • Email and web content filtering
    • Education and awareness
  4. Manage access – Access proceeds only through known mechanisms, which validate authorization and identity.
    • Multi-factor authentication
    • Enforce a strong passphrase policy
  5. Contain failure – Security failures in one system or network segment do not affect other systems or segments.
    • Network segregation and segmentation
    • Anti-Virus
    • Host and network IPS
    • Operating System generic exploit mitigation
  6. Eliminate anomalies – Causes of unknown and unexpected events are identified and eliminated, as appropriate.
    • Logging of successful and failed system events
    • Logging of successful and failed network events
    • Capture network traffic

Astute readers will notice that there is a large gap between the objectives and the underlying mitigations. The mitigations are tools, or supporting technologies, that help achieve the objectives, but they do not ensure the objectives will be achieved. This underscores one of the major mistakes most organizations make when they go to implement such a set of mitigations. It’s worth going back to the background and assumptions and identify some of their consequences. Of course this is far from an exhaustive list.

  • Limited applicability – These mitigations come from investigations of Australian government organizations. Other organizations may have different experiences.
  • Accidents are excluded – Security risks which result not from adversarial attack, but from accidents are not included. (One of the most common is data breach caused by theft or loss of a mobile device, laptop, or backup tape.)
  • Mobile devices are specifically excluded – The mitigations apply to workstations and servers, but not to mobile devices.
  • Governance, process, personnel are poorly covered – The mitigations do not include non-technical approaches, which can significantly affect security, risk, and cost.
  • Alternate risk mitigation – Risk mitigations available to corporate entities – such as insurance – are not available.
  • Cost considerations – Corporations typically require some measure of value justification, associating costs and risks to profitability, rather than to national security or human life.
  • Impacts – Impacts should be analyzed in the context of the specific solution in the proposed environment.
  • Implementation quality – Poor implementation of the mitigations would result in reduced effectiveness.
  • Implementation completeness – Implementing mitigations to fewer than 100% of systems would change effectiveness and cost estimates.

Knowledge of the underlying assumptions, their consequences, and unstated assumptions is key to implementing them appropriately. You can only fill in the missing pieces when you recognize they exist, and where. Some of these missing pieces can help you greatly reduce cost, not just add more to the shopping list.

But we’re diverging from the point here. These six objectives are not the only ones that can be derived from the Australian DSD’s guidance. They have worked for our clients and they allow a fairly complete mapping to the 35 mitigations. This superset also naturally aligns to strategic initiatives to develop processes to take full advantage of these tools. Maybe we’ll add more on that in a future post.