jump to navigation

New Article: Exploits, Vulnerabilities & Threat Adaptation March 17, 2020

Posted by Chris Mark in cybersecurity, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

AT&T CyberSecurity published my new blog post.  You can read it here!

“Security, whether focused on physical, cyber, operational, or other domains, is an interesting topic that lends itself to considerable debate among practitioners.  There are, however, basic concepts and underpinnings that pervade general security theory. One of the most important, yet often misunderstood concepts are those inextricably entwined concepts of vulnerabilities and exploits.  These basic underpinnings are critical in all security domains. 

What are exploits and vulnerabilities and why are they important to the study of security?

First, security cannot be considered a binary concept such as: “secure” or “not secure”.  The appropriateness of any security strategy is relative to the controls implemented to address to identified risks.  One cannot say: “my house is secure”.  The measure of security is predicated upon the identified risks and the associated controls implemented to address those risks.  One can say: “My house has been secured in a manner that is commensurate with the identified risks”.  Second, security should be viewed as a function of time and resources.  Finally, security, in any domain, can never be ‘assured’ nor can there be a ‘guarantee’ of security.  The reason is simple.  Technologies change and human threats are adaptive.  According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.” The concept of threat adaptation is directly linked to the defense cycle.  In short, as defenses improve, threat actors change their tactics and techniques to adapt to the changing controls.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption.”  Read the whole article!

What Coronavirus can Teach us about CyberSecurity February 28, 2020

Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , , , , ,
add a comment

The 2020 RSA CyberSecurity Conference was held recently in San Francisco, California. There were some notable companies that elected to not attend this over safety concerns related to Coronavirus.  On February 25th the mayor of San Francisco declared a state of emergency for their city over Coronavirus fears.

This state of emergency was declared is in spite of the fact that there are no confirmed cases of Coronavirus in the city. Mayor Breed, in discussing her prudent steps stated: “We see the virus spreading in new parts of the world every day, and we are taking the necessary steps to protect San Franciscans from harm…”

First identified in Wuhan, China in late 2019, Coronavirus (covid-19) has reportedly infected over 80,000 people worldwide and has resulted in over 2,700 deaths on several continents. Recently, the World Health Organization identified the newly identified Coronovirus as a potential “Disease X”.  “Disease X” was added to World Health Organization’s “Prioritizing diseases for research and development in emergency contexts” list of illnesses. This list includes such diseases as the Crimean-Congo hemorrhagic fever (CCHF), Ebola and Marburg virus disease, Lassa Fever, MERS, SARS, Nipah and henipaviral diseases, Rift Valley fever and Zika.  Importantly, “Disease X”:

(…represents the knowledge that a serious international epidemic could be caused by a pathogen currently unknown to cause human disease, and so the R&D Blueprint explicitly seeks to enable cross-cutting R&D preparedness that is also relevant for an unknown “Disease X” as far as possible) (emphasis added). 

What can the current Coronavirus situation teach us about cybersecurity?

Reflecting upon the situation in San Francisco and the WHO’s statements, it is possible to utilize the Johari Window to analyze the situation. The Johari Window[1]developed by psychologists Joseph Lutz and Harrington Ingram in 1955 and reintroduced to the American Public in  2012 when then Secretary of State in referencing Iraqi Weapons of Mass Destruction stated:

…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…it is the latter category that tend to be the difficult ones.” (paraphrased)

The Johari Window identifies four panes of knowledge.  They include: The “known/knowns” where both the person and others know of a given situation. There is the “Known/Unknown” where the person knows and others do not know of a situation. Consider a personal secret that has not been shared with others. There is then an “Unknown/Known” where the situation is not known the person yet is known to others. In simple terms think of a surprise birthday party where everyone but the birthday boy/girl is aware.  Finally, there are “unknown/unknowns” where neither the party knows.  This is the truest example of an ‘unknown’ and represents, the most difficult situation to analyze because it truly represents a position of ignorance on both parties.

In 2016 the World Health Organization identified that there was a conceptual, although yet undefined threat that was both unknown to others and to themselves but they understood that, theoretically, existed and would present a major risk if and when it was eventually realized.  This, they proactively identified as ‘Disease X’. This was the ‘unknown/unknown’ in the Johari Window until the time that it was identified as Coronavirus.

It is now a ‘known/known’ threat although countries are still struggling to identify how to deal with the risk it presents. Until it was actually realized, however, there was little any country could do except wait until it was realized. Once it was identified, then actual defensive and protective measures could be put into place to address the threat.

In much the same way, organizations dealing with cybersecurity today are presented with the ‘unknown/unknown’ of the conceptual “Disease X” threat in cybersecurity.  This is any yet unidentified and yet predicted threat that may impact their organization in the not too distant future.  Companies are faced with attempting to develop security and continuity plans for a threat that they do not yet know exists and what specifically that threat encompasses.  On a nearly daily basis, however, a ‘Disease X’ arises in cybersecurity and companies are forced to react quickly and decisively to address such threats.  Adding to the threat is the fact that these threats are not naturally occurring and are, in fact, created by humans – intent on creating harm.

Compounding the problem of the ‘unknown/unknown’ is the idea of threat adaptation in known threats.  While not modified by naturally security processes, security strategies, like those of disease control must also deal with threat adaptation. Using the Coronavirus as an example, according to a South China Morning Post article posted on February 4th, 2020 Chinese scientists had already:

“…detected “striking” mutations in a new coronavirus that may have occurred during transmission between family members.” It further states that: “While the effects of the mutations on the virus are not known, they do have the potential to alter the way the virus behaves.”

It has been well established that Influenza virus ‘shift’ and ‘drift’ antigenically.  Without delving into the specifics of how these occur, according to the Center for Disease Control and Prevention, states that:

“When antigenic drift occurs, the body’s immune system may not recognize and prevent sickness caused by the newer influenza viruses. As a result, a person becomes susceptible to flu infection again, as antigenic drift has changed the virus enough that a person’s existing antibodies won’t recognize and neutralize the newer influenza viruses.”

While not a direct corollary to a natural viral drift or shift, human actors respond in a similar way when attempting to commit criminal acts. They ‘adapt’ to the changing security environment and are defined as ‘adaptive threats’.  According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:

“…threats intentionally caused by humans.”  It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.”

In short, as defenses improve, threat actors change their tactics, and techniques to adapt to the changing controls and prevent the established controls from identifying and protecting against the newly adapted threat.  As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections.  This cycle continues ad infinitum until there is a disruption. This recurring cycle is known as the Defense Cycle.

Consider medieval castles.  Originally, they were built of wood.  Those assaulting castles would simply use fire to burn the castles to the ground.  Castle makers then built Castles of stone.  Assaulters then created siege engines to knock down the walls or began digging under the walls to ‘undermine’ them.  Castle walls were made larger and stronger and were nearly impenetrable until cannons were introduced.  Even in situations where the attackers could not ‘storm the castle’ they would simply lay siege and starve the inhabitants until they capitulated.  This is a classic example of threat adaptation and the defense cycle.

In a more relevant and timely example consider a standard network with security controls applied commensurate with the identified risks. An attacker may try an attack against the network layer.  If this is ineffective and the incentive is great enough the attacker will likely modify their behavior and attack methodology to attempt to circumvent some other control.  This process continues until a resource has been compromised.

Applying the concepts addressed in this article, a newly identified or developed exploit is the proverbial “Disease X”.  As it has not yet been identified, the organization has no definitive defense against it. Once it is identified and known, then the company can begin identifying new controls to address the newly identified risk. The attacker will then, once again, modify their behavior.  As stated, this cycle can continue ad infinitum.

In 2020, organizations are dealing with myriad threats.  First there are the ‘unknown/unknowns” that represent the “Disease X”of the cyber attack world.  These may include new attack vectors, or zero day exploits.  Secondly, organizations are faced with defending against motivated, determined adversaries who are not only is focused on attacking networks and resources but are continually adapting their strategies as defenses improve.  While not a direct correlation, by looking at nature and how diseases impact our society, organizations can better understand their own security strategy and risk management practices.

 

1,000,000 InfoSec Job Openings in 2016! May 10, 2016

Posted by Chris Mark in cybersecurity, Industry News, InfoSec & Privacy.
Tags: , , , , , , , ,
add a comment

ATT_Sec_Conf_2015-076A recent article in Forbes Magazine outlines the current and projected information security job market.  According to the article the current job market is valued at $75 billion and is expected to grow to $170 Billion by 220.  More profoundly, CISCO estimates that there are currently 1 million InfoSec job openings in the US with, according to Peninsula Press, 209,000 currently unfilled! According to Virginia Lehmkuhl-Dakhwe, director of the Jay Pinson STEM Education Center at San Jose State University “The number of jobs in information security is going to grow tenfold in the next 10 years,”

I have been fortunate to have had a great career in information security over the past 15 years.  While my experience is unique, I have had opportunity to travel the World and work with some of the largest, and most complex companies around.  I have spoken at scores of events and have published dozens of articles and white papers.

Last year I wrote a blog post about how to get into the InfoSec career field.  Two things that many people may want to know off the bat.  1) a College Degree is NOT required (although often very helpful) and 2) The pay is VERY good. (basic supply and demand).  In my experience most people could probably get into the field with anywhere from 9-18 months of self-study.  You can get in quicker if you attend course.  For more information, please read my blog post: Getting Info Information Assurance Careers.

Dupont’s Titanium Oxide Color Recipe- Stolen for Chinese Advantage July 22, 2015

Posted by Chris Mark in Industry News, InfoSec & Privacy, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

Oddly (to me anyhow) this is the 2nd most  popular post on my blog!  It was written over 3 years ago but since it gets so much traffic I thought I should re-post.  Here it is in 2015!

Many mistakenly believe that only “high tech” secrets and intellectual property are targets for intellectual property theft.  In a clear example of how any propriety secret can be considered a target, a scientist (Tse Chao) who worked for Dupont from 1966-2002 (36 years!) pleaded guilty in Federal court on Thursday to committing espionage for a company controlled by the Chinese government.  Mr. Chao testified that he provided confidential information to Chines controlled Pangang Group. What did he steal? Among other things, the recipe for Dupont’s Titanium Dioxide.  What is TD used in?  Titanium Dioxide is the ingredient in many white products that makes the products white.  Products such as paint, toothpaste, and Oreo cookie filling!  Stealing the ingredients to Oreos shows just how low cyberthieves will go!   According to court documents: “DuPont’s chlorine-based process was eagerly sought by China, which used a less efficient and more environmentally harmful production method”

I have worked with a number of large companies who, when asked why they did not protect trade secrets, replied that they did not believe their industry or type of product was of interest.  Make no mistake.  If your company has a unique process, technology, or product, it IS of interest to many companies.  Unfortunately, the US Government has released reports that state that China is sponsoring much of the US and European cyber espionage.

photo from: http://www.titaniumexposed.com

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

%d bloggers like this: