Archive

Posts Tagged ‘Information security’

Schadenfreude and Shame in Security

December 23, 2014 Comments off

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

  • Opportunism and fear mongering by politicians and our own industry.
  • Vandalism portrayed as terrorism.
  • The inadequacy of traditional investigative methods in cybercrime.
  • Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.
  • Pre-determined attribution in hacking and geopolitics.
  • A geopolitical reaction to issues stemming from poor corporate oversight.
  • The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).
  • The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

Infosec Management Tip: Principles Are More Important Than Tactics

August 27, 2012 Comments off

Principles Are More Important Than Tactics

Security doesn’t come from the specific things you do. It comes from an overall approach to doing everything. In that sense, the principles that underpin your decisions and actions matter more than the decisions and actions themselves. Those statements may seem inscrutable or contradictory so I owe you further explanation.

Process and procedure can never be made so that they will, in isolation, provide optimum security. Even for very well thought out, nearly comprehensive tactics unplanned events will always come up. You’ll have to make decisions when there’s no written plan and no precedent. When you’re making those decisions you need to weigh all the factors you can take into account and move forward based on your judgement. Your judgement here is a point-in-time reflection of your principles. If your principles fail you, so will your judgement and you’d have to get lucky for your decision to be the right one.

In most organizations, processes and procedures leave a lot of room for decision making. It’s not just the occasional judgement call that has to be made, these usually happen on a daily basis at most levels of the organization. So strong tactics but poor principles will compound over time and erode even the best security program.

Instead, focus on coming up with strong principles, and make sure everyone knows them. Clear communication, understanding and internalization is key to having principles, not just tactics. This way whenever any decision is made, there’s a good chance that the judgement behind it is sound. This also, by the way, will push decision-making down in the organization, freeing up management to tackle larger and more strategic issues and critical problems.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Business Is About Taking Risks

August 23, 2012 Comments off

Business is About Taking Risks

One of the fundamental things that drives our economy is risk-taking. That’s the natural inclination of the most successful business people I’ve met. There’s risk in both going in a new direction – what you might call “venture risk” – that separates the promising businesses from the failing.

Let’s look at an example to better illustrate the point. Suppose we have two otherwise identical chair makers, making identical chairs. One day they overhear someone mentioning that having a cup holder built into the chair would be a good thing. That’s never been done before, so there’s a risk in making something different. Now one maker takes a venture risk and builds his next line of chairs with a cup holder and it’s a hit, selling twice as many as before and even commanding a premium. The risk-averse chair maker sticks with the old design and sees a drop off in sales. The venture risk-seeking businessman wins. Enough of these successful venture risk decisions and he drives the other chair maker out of business.

(By the way, this is a principal criticism of  the labor theory of value popularized by Karl Marx and which underpins Socialism. Also for more on risk-averse behavior check out the awesome TED presentation where Laurie Santos shows our behavior can be just as irrational as Capuchin monkeys.)

But thinking back on the same situation, it’s possible to see that the risk-averse chair maker is also taking a risk. His risk is that failure to innovate will drive his company out of business. Now, his is actually what we would see traditionally as the safer bet. But expanding on the scenario just a little bit it’s possible to show that the status-quo is actually riskier. All you have to do is assume that some day a better chair will be created and put into production. This virtual certainty also virtually guarantees that the risk-averse chair maker will eventually go broke.

Most businesses today are a far cry from this idealized chair maker – even the chair making industry. But the vignette translates well to the highly risk-averse attitudes of many CISOs and other information security professionals today. They try to eliminate all security risk, but in doing so they virtually doom the enterprise to certain failure. That’s why they’re often perceived as ineffective. Instead, CISOs should help their companies make smart decisions and help protect against security, privacy and compliance threats when taking venture risks.

Hat tip to Andy Ellis, CISO of Akamai, whose keynote at Hack In The Box Amsterdam partially inspired this post. You’re a smart man, Andy.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Korea Telecom Breach First Under New Law

July 31, 2012 Comments off

It was recently announced that Korean hackers had breached Korea Telecom (KT) and sold personal information on 8.7 million individuals to telemarketers for nearly $900,000 (1 billion KRW). Both the two hackers, as well as seven telemarketers have been arrested and charged with crimes. But soon Korea Telecom may find themselves in court under a new Korean law.

The KT breach may have taken 7 months to execute, though it is not clear whether this indicates how long the attackers had access to KT networks. The breach was said to have been detected by internal security systems in mid-July. In a statement by Korea Telecom, they say that the information has been “returned” and that there should be no further damage; however the Korean Telecom Commission has said that they can’t be 100% certain of that. KT has not said whether the information leaked includes financial information such as credit card numbers or bank accounts, but given the extensive list of items that were leaked it is likely that this information was at least accessible to the attackers. The information the company admits was leaked includes the following.

The attackers, as well as buyers of the illegal information have been arrested. Based on early reports it appears that the attackers had help from an insider to bypass security systems and gain information on Korea Telecom’s internal systems. The attackers are reported to have claimed they attacked KT because KT has the highest profits, though it’s not clear whether there was a political motivation as well as financial for the attacks.

Korea has experienced many high profile breaches over the last 5 years. Most Koreans have likely been affected by many of these personal information compromises. All told, the number of records breached exceed the number of citizens of the country by a wide margin. What’s unclear is whether the actual number and severity of breaches has increased or whether they’ve gotten more attention. But the rate of breaches seems to have increased. Here is a brief list of several high profile breaches since 2008:

Legal remedies for individuals harmed have been tough to come by. A court case against Auction Korea, for example, was unsuccessful because judge decided that the plaintiffs had failed to demonstrate causality. That is, they couldn’t show that the defendant had caused the breach, nor could they show that poor security was chiefly responsible for it. Therefore Auction Korea was not deemed liable for the associated damages. At the time it was not possible to sue for negligence under Korean law.

The Korea Telecom breach is the first one since the Personal Information Protection Act (PIPA) came into effect in 2012 in Korea. (Note that this is not related to the US Protect IP Act.) The Korean PIPA law is described as a “comprehensive personal data protection law,” which restricts collection of personal information and specifies handling precautions must be in place to prevent breaches. And in a reversal of the provision that has prevented successful legal actions, PIPA allows the plaintiffs to sue for negligence. This tactic puts the burden of proof on the company that suffered the breach to demonstrate that their measures were compliant with PIPA.

If a case is brought against Korea Telecom under PIPA, the result will set a precedent in the Korean legal system. But that case may not be hard to prove. A Korean lawyer is quoted as saying “As the results of the investigation haven’t been announced, it is hard to make a provisional conclusion. But that fact that the criminals who leaked KT personal information prepared their hacking program for 7 months and it was hardly detectable as they leaked samll amount of information. For now, there still a possiblility that KT can claim that they upheld their duty of technical protective action well.”

Privacy rights proponents should carefully weigh the benefits of taking this case to court. On the one hand, they should seek justice on the part of the wronged and consequences on the part of the breached. On the other, if they fail to make a strong case the precedent set may set privacy rights back. Either way, this will be a case to look for if it appears on the dockett.

DISCLAIMER: Stratigos Security is not offering a legal opinion, nor has this article been written by a lawyer. Although we did use the services of a Korean translator for much of the research and fact checking, there may still be errors due to the language barrier. We ask that you take our words with a grain of salt and independently verify important facts. That’s just good journalistic practice. We did the best we could, but you shouldn’t believe it just because it’s on the Internet. That’s just plain common sense.

Infosec Management Tip: Prioritize Based on the Business

July 23, 2012 Comments off

Prioritize Based on the Business

A lot of data isn’t worth what we spend to protect it. What’s worth protecting and what’s just not? That’s not a decision IT and IT Security should be making. Instead, count on the business to help you prioritize. This goes along with our tip to cultivate understanding between the business and Infosec. Prioritize security controls that play into what the business needs and leave the others for later. (And document this decision for the auditors!)

Example: If you’re working for Coca-Cola and you say to your Chief Taste Magician (or whatever his title would be) that you want to help him protect the secret formula he probably won’t care. Anybody with access to a mass spectrometer and a basic understanding of how to read the printout can figure out the formula. But he is going to care about patenting the technology they’re developing to get the soda fountain mouth-feel into a plastic bottle. That’s his priority for the Taste Lab and it should be yours too.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Beware Security Fads

July 20, 2012 Comments off

Tools are a Means, Not an End
One of the biggest shames of our industry right now is that “silver bullet” tools have such a hold on media and mind share. Organizations typically try to deploy the latest product in isolation, without understanding what’s causing the issues they’re seeing. But tools used this way are bound to fail, raid the corporate budget, tie up valuable resources and just obscure the symptoms of the problem for a while longer. Organizations can only fix what’s broken by understanding the problems clearly and developing a solution using proven methods that fixes them. Only then should you start thinking about what tool fits into the solution.

Example: A lot of companies have asked about “tuning” their latest flashy box that’s not working right. But when you get talking to them, you find that the problem isn’t with the product it’s somewhere else. Even if the product was at 100% efficiency, you still wouldn’t be able to solve the problem. One company had spent tens of millions of dollars on SIEM and other tools, but were using business school interns to run the SOC and didn’t have any plan for handling incidents! Another company had a DLP device that sat on the shelf for 2 years, and they hadn’t even clearly defined what data they cared about or where it should and shouldn’t be. Tuning in those situations would only be an expensive way of buying false assurance.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with others like you. If you like what you read, come back for more!

Infosec Management Tip: Cultivate Understanding

July 16, 2012 Comments off

Cultivate Understanding
This is the opposite of running around trying to inform everybody of what you think is the biggest problem. It means getting with them to understand what their problems are, where their risk prioritization is and then find out where your concerns fit in there. Maybe they’re already aware of the threat and aren’t concerned; or maybe they have a way to mitigate it you hadn’t thought of; or maybe they need to listen, but don’t trust Infosec yet. By bringing the business into the Infosec decision making process, there’s more trust, more chance they’ll listen when you talk, more chance you’ll have the right answer for their needs and usually that all means more budget, plus more willingness to go along with what you want!

Example: I know of a company that was going into China to open R&D centers. The CISO was trying to say “no we shouldn’t, it’s too risky because somebody could steal our IP.” But the business knew this – their strategy around it was to lean on other assets like brand reputation (which is actually fairly well protected in China) to prevent against that. In other words, lost IP wouldn’t necessarily translate into lost revenue or profits. In another company the BOD wanted to have their updates and formal reports delivered to an iPad. The CISO worked with Finance to say yes because the costs of securing the digital distribution were less and results better than securing the hard copies. IT and Security helped save money, reduce risk and got a high visibility win for the company.

This is part of a series of short tips for Information Security Managers, where Stratigos Security will provide you with some of the benefits of our experience working with companies large and small. If you like what you read, come back for more!