jump to navigation

Offensive Cyber Attacks – A Dangerous Proposition December 8, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

iStock_000000499912Large 2Let me preface this by saying I have been outspoken about passive cyber defensive strategies and their failure.  You can read my paper: “Failed State of Security” to learn more.  On that note, Foxnews had a story today that had me scratching my head.  The recommendations were pedestrian at best, and dangerous in the most severe cases.  In short the article suggests that companies should take a more ‘offensive approach’ to preventing cyber attacks.  Some of the recommendations include:

“Misinformation campaigns” such as planting fake documents and data for criminals to steal.   As stated in the article: “One such strategy involves creating a disinformation campaign by distributing  fake documents throughout a company’s own network to confuse and potentially  misguide potential adversaries.”  Companies today have a difficult time managing their own ‘real’ documents.  This approach is inefficient, and bound to cause confusion among employees.  How do you differentiate between the “real” and the “fake” internally?

Jim Cilluffo, Director of George Washington Universitie’s Homeland Security Policy Institute stated in front of Congress: “We should provide opportunities and responsibilities to the private sector to  hack back,”   REALLY?  Vigilante justice is being proposed by a Director of a major universities’ homeland security institute?   We are going to trust commercial entities to use the authority to ‘hack back’ judiciously?  What about when they hack into a competitor and claim they were being hacked?  What if a company hacks into a personal computer and the person decides to exact revenge on their employees for the act by escalating the issue to violence?  Many of these ‘cyber criminals’ are associated with organized crime.  These are not the types of groups you generally want to attack.  This ‘mall cop’ mentality has not place in corporate America.

More disturbingly is the correlation between vigilante justice and bank robberies. “If someone were to rob a bank today, doesn’t the bank have a responsibility to  protect its customers and employees from someone armed? They don’t simply wait  until someone shoots innocent victims,” said Frank Cilluffo, director of George  Washington University’s Homeland Security Policy Institute.  The difference is stark.  A person walking into a bank with a weapon is a ‘clear and present danger’ to people’s safety.   A company being hacked may e angry, offended, insulted, etc. but the hacker is endangering a person’s safety in the same way a person with a gun would be.

While an executive order from the White House could be forthcoming, Cilluffo  said legislation from Congress would be far more helpful and could even  indemnify companies from lawsuits.

“We need to have these conversations because the current approach is doomed  for failure. We’re losing too much,” said Cilluffo.

Beating an Old Drum October 27, 2012

Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.
Tags: , , , , , , ,
add a comment

It’s the end of what has already been a tough year for data security.  And the news just got worse.  South Carolina has announced that its Department of Revenue suffered a major breach.  The breach is so massive, in fact that more than 75% of the state’s residents have been affected.  The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents.  Also included in the breach were about 390,000 payment cards.  Most of those were encrypted, though.

This is disturbing on a number of levels.  I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those).  Consumers have built in protections on payment cards.  As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions.  The far more sensitive data, the social security numbers, were not encrypted, though.  This defies logic.  Consumers have little to no protection against misuse of SSNs.  Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.

Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.”  WHAT?  If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold.  After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.

Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data.  It’s long past time states put forth the same level of protection.  On the plus side, the state did comply nicely with its own data breach notification law.

Because I Said So September 23, 2012

Posted by Heather Mark in cybersecurity, Industry News, InfoSec & Privacy, Laws and Leglslation, Politics.
Tags: , , , , ,
add a comment

Last week, Democratic leaders made some minor news when they sent a letter to President Obama suggesting that he issue an executive order on Cybersecurity.  Their position is that, since Congress seems to be at loggerheads over the issue, the president should take the opportunity to force action by issuing an Executive Order.  In fact, Secretary of Homeland Security Janet Napolitano told a congressional committee that just such an order was in its final stages.  So what might we see in this forthcoming order?

According to reports, the order will attempt to regulate sixteen “critical” industries.  The guidelines will be voluntary, after a fashion.  Compliance with the standards may determine eligibility for federal contracts.  The White House has not made any secret about its intentions on Cybersecurity.  In fact, the White House website lists  “Ten Near Term Actions to Support Our Cybersecurity Strategy.”  Brevity prevents me from getting into a deep discussion about those actions here, but you can read them and draw your own conclusions.

The questions remain, however – 1) how stringent (read intrusive) will the requirements be?; 2) Will they be relevant to the threats in the landscape?; 3) How will compliance be policed? and 4) How much additional cost are we potentially adding our already stretched budgets?

Another question that merits examination is whether or not the standards will be redundant.  Many industries are already straining under the weight of a variety of infosec requirements – whether industry-regulated or government mandated?  Will another layer of regulation mean increased efficacy of data protection strategies and mandates or will it be just another layer of red tape?

 

 

 

“Cyber Espionage is Alive and Well”; Motorola Employee Sentenced in theft of IP August 30, 2012

Posted by Chris Mark in cyberespionage, cybersecurity.
Tags: , , , , , , , ,
add a comment

According to a story in CIO, a former Motorola employee was sentenced to 4 years in prison for theft of trade secrets. For more information on the cyber espionage threat, you can read my  article: “The Rise of CyberEspionage” published in The Counter Terrorist Magazine.

Below is an excerpt of the CIO article.

“Hanjuan Jin, 41, a nine-year Motorola software engineer, conducted a “purposeful raid to steal technology,” U.S. District Judge Ruben Castillo said while imposing the sentence, according to a statement by the department.

The Judge did not however find her guilty of three counts of economic espionage for the benefit of China and its military, although he found by a preponderance of the evidence, that Jin “was willing to betray her naturalized country,” according to the department. Jin had earlier been convicted by the court of three counts of theft of trade secrets.

Judge Castillo’s order was not immediately available on the website of the U.S. District Court for the Northern District of Illinois, Eastern Division where Jin was on trial.

Jin, who is a naturalized U.S. citizen born in China, was stopped from traveling on a one-way ticket to China on Feb. 28, 2007 at O’Hare International Airport by U.S. customs officials who are said to have seized from her possession more than 1,000 electronic and paper documents from Motorola.”

Companies need to be vigilant and understand that the same techniques used to steal national secrets are being employed in US businesses.  While not exclusive to China, they certainly represent the greatest threat today.

“A Rose by Any Other Name…” – Selecting the Right InfoSec Professional August 22, 2012

Posted by Chris Mark in cybersecurity.
Tags: , , , , , , , ,
add a comment

Last week I had an experience that left me chuckling and shaking my head at the same time. I had been approached by a company that had some infosec needs.  According to the person with whom I spoke, they had found me on LinkedIn and wanted to talk.   This company had recently settled with some regulators over some privacy and other regulatory practices and were looking to beef up their security and compliance.   I spoke to one person for about an hour and a half and was asked to send more info.  Later that week I received a call from the person with whom I had spoken an was informed that the company was looking for someone with INFORMATION SECURITY experience.  I (likely not so politely) asked what they thought I did for a living?  His response was that the company was looking for someone with a computer science degree.  It was curious that they did not say an information assurance degree, or cybersecurity degree…or…list an certifications or skills…simply computer science.  Well then…there you have it.  Apparently, this company feels the only real qualification for ‘infosec’ is a computer science degree.   Considering their previous issues, you would think they would have a better handle on info sec and their needs.

When looking for an infosec professional understand that there are technical skills which are certainly important (encryption, configuring firewalls, devices, systems, app layer security etc., etc., etc.)  There are other aspects which are important, as well.  Understanding the compliance mandates as well as the various regulatory requirements and regimes is critical in today’s world.  While not specifically defined as ‘infosec’, an understanding of privacy issues (how data is used) is also important.  While understanding technology is critical, being a skilled infosec professional is about more than simply understanding technology and about more than computer science.  While I may not have been right for that particular engagement for other reasons, the company’s laser focus on a ‘computer science’ degree at the exclusion of the other aspects suggests this company may be focused on the wrong areas.  Maybe they should question why they had issues to begin with.