Editor’s note: the post below by Anup Ghosh first appeared on the Invincea blog and is republished here with the author’s permission. bg

Prediction 2012: Hackers Will Find New Fertile Ground to Pharm

Team up with Carahsoft and Virtual Instruments to prepare for the FDCCI

Last week I attended a Carahsoft webinar with Virtual Instruments’ Doug Norton and our very own Bob Gourley. The topic was the Federal Data Center Consolidation Initiative, and what Virtual Instruments can do to help prepare your agency for consolidation.

The key capability that Virtual Instruments brings to the table is the ability to identify and create real metrics for your data center and across the SAN. VI uses fibre channel technologies to copy network data in stream and then perform their analytic magic on that data – this allows your network to continue to operate with zero latency introduced by their action.

Consolidation is a huge target for any CIO, let alone those to whom it is mandated. Virtual Instruments helps prepare the network for consolidation by identifying weak points, underutilized assets. One huge hold up for cloud adoption is visibility, which is exactly what VI can offer your agency or firm.

Virtual Instruments has created a six-step plan that directs the consolidation process and optimizes the results.

Step 1: Mitigate Risk and Improve SAN Utilization

Step 2: Speed Resolution Time & Root Cause Analysis

Step 3: Head Off Application Performance Problems

Step 4: De-Risk and Tune Mission Critical Applications

Step 5: Optimize Storage Tiering

Step 6: Increase Use of Virtual Servers

If you’d like to watch the archived webinar, find it on Carahsoft’s website, here.

Find Virtual Instruments and Doug Norton here.

Related articles

• Learn how to get ready for the FDCCI with Bob Gourley and Carahsoft (Webinar) (ctovision.com)
• A Tale of Two FCoEs (datacenteroverlords.com)

The technology writer Langdon Winner wrote an interesting book 30 years ago that has a lot of relevance to technologists today–especially when thinking about enterprise security. His core idea is one of technological autonomy. As the good folks at Cyborgology define it:

Technological autonomy is a shorthand way of expressing the idea that our technologies and technological systems have become so ubiquitous, so intertwined, and so powerful that they are no longer in our control. This autonomy is due to the accumulated force of the technologies themselves and also to our utter dependence on them.  …Advanced technologies require vast networks of supportive technologies in order to properly function. Our cars wouldn’t go far without roads, gasoline, traffic control systems, and the like. Electricity needs power lines, generators, distributors, light bulbs, and lamps, together with production, distribution, and administrative systems to put all those elements (profitably) into place. A “chain of reciprocal dependency” is established, Winner says, that requires “not only the means but also the entire set of means to the means.”

Winner is not necessarily arguing that technology is autonomous in the sense of Skynet and Terminator. He is, however, pointing out that technology is not simply a tool animated by human will. Each successive layer of technology, in turn, creates a complex dependence through the supporting networks necessary to underpin it. Thus we cannot evaluate technology in isolation. Rather, we ought to think of techno-assemblages, mutually reinforcing systems of systems.

The experience of the modern user is by definition one of trust in incredibly complex systems that he or she cannot hope to completely master or have control over. Instead, we accept a limited understanding of expert systems and trust in the ability of the collected wisdom of experts (and when I say collective, I mean a combination since expertise is specialized in nature) that the systems we use will work as planned. The philosopher Anthony Giddens writes of this, for example, when talking about cars:

Everyone knows that driving a car is a dangerous activity, entailing the risk of accident. In choosing to go out in the car, I accept that risk, but rely upon the aforesaid expertise to guarantee that it is minimised as possible. […] When I park the car at the airport and board a plane, I enter other expert systems, of which my own technical knowledge is at best rudimentary.

I would argue that one of the major problems with enterprise security–and to some extent information security as a whole–lies precisely in the factors that both Giddens and Winner discuss. Information technology and the systems that underpin it are, in a sense, autonomous in the way Winner suggests. Cyber is ultimately an inescapable aspect of everyday life, making cybersecurity less of an exotic thing than it was when books like Black Ice were written. As more and more appliances become networked, we start entering into the world where the information user not only can’t trust their toaster, but also becomes paranoid about people hacking into their cars. Moreover, the knowledge necessary to understand the sum of these techno-assemblages becomes not simply a problem for individual technologists, but a larger social issue that requires a diversity of expertise.

I think that as a company CrucialPoint itself is actually a very good response to this sort of new reality. My background is in political science and international politics, Dillon Behr is a former soldier, Matt Devost, and Bob Gourley have experience in the cyber security, national security and intelligence communities. Chris Barnes is a former federal CIO. I’m often amazed at the technical skills demonstrated on a consistent basis by Bryan Halfpap and Ryan Kamauff. Some of us have advanced degrees, others have many years of practical experience. Together, we have a mutually reinforcing basis of expertise for thinking about technology in a holistic fashion.

Winner and Giddens’ ideas have great relevance for enterprise security. We aren’t going to stop people from using various techno-assemblages or individual technologies. Mobile device security and the “death of the PC” are merely symptoms of this larger problem. And the implications associated with these technologies are policy matters for an manager with appropriate authority and perspective to set, not merely a technical domain for individual specialists. They are too complex and encompass way too many dimensions for a narrow perspective.

Related articles

• 2011 in Cybersecurity (ctolabs.com)
• Fixmo Announces Advisory Board, Adds to Board of Directors (ctovision.com)
• Virtualization: Security Issues and Savings (ctolabs.com)

While virtualization offers many benefits to enterprise such as lower costs and greater flexibility, it also creates new challenges. One of the greatest concerns with switching over to virtualized infrastructure, espeically in government, is security and compliance in a complex and dynamic environment which legacy software can no longer handle. Catbird offers automated security solutions tailored to virtualized data centers and has recently unveilled the next generation of its vSecurity software, vSecurity 5.0.

By integrating with the hypervisor, which manages all of the virtual machines, vSecurity 5.0 delivers access control, intrusion detection, secure auditing, automated protection, visibility, and efficiency. It can enforce FISMA, NIST, HIPAA, and other standards so that  users can virtualize more assets faster and with better return on investment. As a result, vSecurity provides a level of securityand compliance that exceeds traditional physical security devices.

In vSecurity 5.0, Catbird will incorporate a variety of security features. The Event Viewer displays security data from various controls such as the firewall and intrusion detection system and shows in real time what each is detecting as well as how they interact. The Compliance Radar Graph visually shows data center compliance to a given standard in real time to automate validation. Automated Asset Inventory accurately catalogs for for security monitoring and enforcement, which is integrated with Network Flow Mapping to effectively regulate access controls and mitigate risks from suspicious communication. It also allows for Policy Automation via vSecurity TrustZones, logical groupings of assets with common a pre-defined policy and compliance rules. Version 5.0 also allows data to be analyzed by leading enterprise management systems such as ArcSight and Splunk.

Catbird’s vSecurity has won many awards and garnered recognition for its revolutionary solutions, including receiving four consecutive VMworld Best-of-Show Finalist awards and Gartner’s Cool Vendor 2011 designation. If you’re running a virtualized data center, give Catbird a try for yourself by requesting a free demo here.

Related articles

• What You Need To Know About FedRAMP (ctovision.com)
• Invincea Continued to Gain Momentum (ctovision.com)
• Splunk: Bringing Big Data Analysis to the Rest of Us (ctovision.com)

Protecting and connecting

Here are a few recent links of note on cybersecurity and disruptive technology:

• The Cyber Power Index by Booze Allen Hamilton. The G20 are ranked by their potency in cyber, determined by their legal and regulatory framework, economic and social context, technology infrastructure, and industry application. The United States is ranked second with the United Kingdom surprisingly first and China in 13th place. This tool is interactive and, if you disagree with Booze Allen Hamilton’s assessment, you can change the weighting of the determining factors.

• Federal Researchers Push the Limits of Cloud Computing. The results of the 2 year Magellan project, where the DOE”s national labs compared their traditional High-Powered Computing to cloud models, were released last month. Can the national labs use cloud computing to measure the expansion of the universe? Maybe, but not quite yet. We also did some further analysis on Lessons Learned from Magellan.

• Nearly a Third of Americans Now Own an E-Reader or a Tablet. Almost 20% own each. Increasingly mobile is becoming the norm, which means that mobile applications, services, and security need to keep pace and are some of the most pressing topics in information technology.

• Military’s New Plan to Weed Out Counterfeits: Plant DNA. Counterfeit goods are a tremendous concern in military logistics, but serial numbers can be rubbed out and even holograms can be mimicked. Applied DNA Sciences Inc. has just won a contract with the Defense Logistics Agency to try a novel solution –  coating electronics with plant DNA markers. Matching the plant DNA would be almost impossible for counterfeiters.

Related articles

• Alex’s 2012 Tech Predictions (ctovision.com)
• Adam’s 2012 Tech Predictions (ctovision.com)
• Ryan’s 2012 Tech Prediction (ctovision.com)

Cyber practitioners have long wondered when this would happen. Now it has. The President of the United States has finally realized that the threat from malicious actors in cyberspace has grown so significant that it bears mentioning in the State of the Union Address.

In his January 24, 2012 State of the Union Address President Obama, while talking about America’s military strength, said:

“To stay one step ahead of our adversaries, I have already sent this Congress legislation that will secure our country from the growing danger of cyber-threats.”

It might be that I’m attaching more significance to this mention that it deserves. But many of us have wondered or decades why cyber threats have not warranted this level of attention. The threat of cyber attacks is significant, and the theft of intellectual property (which has an impact on the economy and jobs), is unrelenting.

It was good hearing this reference to the cyber threat in the State of the Union. I don’t mean to say I’m glad there are threats! I mean to underscore that more awareness of cyber threats is a good thing.

I wonder if my friends Howard Schmidt or Sameer Bhalotra had anything to do with this? Since they led coordination on the issues in the legislative package sent to Congress, I bet they did.

We have previously written about the Mobile Risk Management leader Fixmo and their relevance to enterprise missions and I have shared my excitement to be on the advisory board of this very virtuous firm (see, for example, Fixmo And Mobile Risk Management For Enterprise and Government Agencies).

Fixmo has just announced the full membership of their advisory board plus some additions to their board of directors.

Other advisers include:

Mr. Wilson “Bill” Livingood. Bill is one of the most interesting (and nicest) human beings I have ever met. He spent 33 years in the US Secret Service (think of the stories he will never tell), and was elected Sergeant at Arms of the United Stated House of Representatives in 1995. He was subsequently re-elected through every session since till his retirement this month. As Sergeant at Arms he has had many responsibilities, including a need to ensure members of Congress are equipped to deal with the growing cyber threat to their systems (including mobile systems).

RADM Author Lawrence. Art has a distinguished career of service to the country as a medical professional. He has served as the Assistant Surgeon General and as the Deputy Assistant Secretary of Health and Human Services. I’ve enjoyed getting to know Art and found him to be very mission focused, but also a great person to hang out with. Art has also had many responsibilities regarding cyber security, including the need to equip a workforce with cyber solutions.

It is an honor to serve with Bill and Art at Fixmo.

The board at Fixmo contains many professionals I have long looked up to.  The board includes:

Rick Segal (Founder and CEO of Fixmo), Kenneth Minihan (Paladin Capital Group),  Frank Meehan (former board member of Spotify and SIRI), Paul Conley (Principal, Paladin Capital Group), Chris Albinson (Managing Director, Panorama Capital), Jeffrey Grammer (Partner, Rho Canada), John Stewart (VP and CSO, Cisco) and William Crowell (former Deputy Director of the National Security Agency).

The Fixmo team also includes the highly regarded widely respected national security professional Bruce Gilley, President of Fixmo US.

We will provide more on Fixmo’s capabilities via our postings here at CTOvision.com.  There is much more besides a strong leadership team to be excited about. They are fielding incredibly positive mobile risk management solutions.

The following is from the Fixmo site at:

http://fixmo.com/fixmo-announces-advisory-board-adds-board-directors

Fixmo Announces Advisory Board, Adds to Board of Directors

Leader in Emerging Market for Mobile Risk Management and Mobile Security Bolsters Boards with Addition of Business, Government, Technology Luminaries

On Friday, 16 December, Michael Howard hosted a webinar for FedCyber on the Microsoft Security Development Lifecycle (SDL), Howard is Microsoft’s Principal Security Architect with nearly 20 years of experience in the field and literally wrote the book on SDL, a topic that keeps growing more relevant. This year, the federal government put into policy with the National Science and Technology Council’s strategic plan for federal R&D what industry has already learned – the only way to protect against modern cyber attacks is to design security into software development.

While Microsoft is recognized as the leader in their Security Development Lifecycle, SDL is non-proprietary, platform agnostic, and suitable for organizations of any size. The tools for many SDL proceses can be downloaded for free and most content is published under Creative Commons License. Simply put, SDL is a series of 16 practices to ensure that security is incorporated into every part of the software development process rather than as an afterthought. The driving philosophy ofSDL is that no amount of security technology can compensate for insecure applications, and currently 75% of attacks occur at the application layer. There is simply too much that can go wrong. Applications may contain millions of lines of code, but it only takes one line to create a fatal vulnerability. There are many other places in a computer system where security can fail, from web-based attacks such as SQL injections for which vulnerabilities are almost ubiquitous to insecure data configuration and human error by users. Fortunately, the often repeated security paradigm “a system is only as secure as the weakest link” is only partially true. Through compensating controls, a central tenet of the Security Development Lifecycle, we can both reduce vulnerabilities and decrease the severity of the vulnerabilities we missed.

The 16 practices that comprise the Security Development Lifecycle are training requirements, security requirements, quality gates/bug bars, security and privacy risk assessment, design requirements, attack surface reduction, threat modeling, use of appropriate tools, depreciating unsafe functions, static analysis, dynamic program analysis, fuzz testing, attack surface review, creating an incident response plan, a final security review, and release/archive. Specifics on all of these steps can be found here, or in more detail here. In brief, while each practice is important, training is the highest priority. Everyone in the enterprise must know something about cybersecurity. For example, every time they begin a new project, every single software engineer at Microsoft gets some training whether security is in their job title or not. SDL is a systematic way to make sure you inventory your applications for common vulnerabilities like cross-site scripting and SQL injections, inventory your engineers to make sure they have adequate security training and tools, and inventory your supply chain to make sure all steps in the creation process use secure practices. Though security can’t be perfect, SDL aims to compensate for vulnerabilities in a way that products and technology cannot.

You can find out more about SDL here, or when Michael Howard returns to deliver another webinar for FedCyber going into greater technical detail.

Related articles

• The Security Development Lifecycle (ctovision.com)
• Security Development Lifecycle Webinar with Michael Howard (ctovision.com)
• Crucial Point LLC Supports Security Development Lifecycle Webinar with Michael Howard (bobgourley.com)

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program established in December 2011 to speed the adoption of cloud computing. FedRAMP includes a set of requirements for federal cloud computing and universal procedures for approving services and providers to work with the government. When contractors feel that they have met FedRAMP requirements, they must have their security control implementations independently verified and validated by a FedRAMP accredited Third Party Assessment Organization for compliance which then submits  a security assessment package for review by the cross-agency Joint Authorization Board (JAB) . FedRAMP is expected to be operational by June and will be mandatory for all government cloud deployments of low to moderate risk levels except for single agency private clouds. Agencies can also add additional requirements on top of the FedRAMP controls. The goal is to establish standards to ease fears about cloud security while saving time and labor through one federal standard rather than redundant agency standards, allowing organizations to leverage past approvals elsewhere.

After looking at over 1000 comments from government and industry, FedRAMP released its list of security controls earlier this month. The controls are based on the National Institute of Standards and Technology special publication 800-53, Revision 3, which are already in place for each federal agency through the Federal Information Management Security Act (FISMA), with additions relating specifically to security in the cloud. The 800-53 standards are characterized by measures to ensure the consistent application of security practices and continuous monitoring of near-real time data.

Additions include controls to deal with trust on shared resources and to dictate secure practices for Platform-as-a-Service, Software-as-a-Service, and Infrastructure-as-a-Service. PaaS and IaaS are to have session locks and SaaS needs to have cryptography up to federally mandated standards. Service providers must support the capability to produce, control, and distribute asymmetric cryptographic keys. Identity and privilege are to be tightly managed, with means to identify foreign nationals and contractors on government networks and enforce role-based access controls at the file, table, row, column, or even cell level if necessary. There are extensive documentation requirements. Service providers must maintain a list of software programs authorized to execute on the information system and submit it to the JAB for approval, and must also document all outsourced security services as well as conduct a risk assessment of future outsourced security services to be approved by the JAB. To gain authorization, service providers must also submit updated code analysis reports and, in the Continuous Monitoring Plan, how new code will be reviewed. The JAB must also approve a list of security functions that must be routed for DHS monitoring such as authentication and resource provisioning and what internal communications traffic will be routed through authenticated proxy server to which external networks. Service providers are to logically or physically separate administrator information security tools, mechanisms, and support components and set resource allocation priorities for the moderate impact systems. The full list of controls contains more additions and specifics.

FedRAMP has already gotten a mixed response. Government executives say that the program will speed up the adoption of cloud computing by simplifying the authorization process for cloud services. If a Third Party Assessment Organization and the Joint Authorization Board find a service to be compliant, any and all government agencies can adopt it. That is, however, only if individual agencies don’t add too many additional conditions to the controls, which some researchers fear will happen. Also, as noted above, the authorisation process is very documentation intensive with many steps that may create a bureaucratic nightmare as cloud services rush to get authorized. Rather than speed up the adoption of cloud services, FedRAMP could create a bottleneck. To combat this, the JAB intends to view authorization packages in order of priority and grant provisional authorization if necessary.

Related articles

• GSA to hold industry workshop on federal cloud security controls (fedcyber.com)
• FedRAMP includes 168 security controls (fedcyber.com)
• Federal officials launch FedRamp (ctolabs.com)

2011 was a watershed year for cybersecurity, but it was evolutionary rather than revolutionary. Political hacking, industrial skullduggery, drones gone wild, and mobile malware all made 2011 a year, to borrow CrucialPoint amigo Matt Devost‘s phrase (since I’m already borrowing his image for the post graphic, why not?), to live cyberdangerously.

The Rise of the Political Hacker

Anonymous was, in many ways, the biggest cybersecurity story of 2011. You couldn’t go anywhere without hearing about a high-profile Anon #Op. From HBGary to the Mexican drug cartels, targets far beyond Anonymous’ original punching bag–the Church of Scientology–were attacked. While it may be a stretch to say that Anonymous affiliates’ campaigns against the Egyptian and Tunisian governments ignited the Arab Spring, it did play an important role in unearthing information that helped fuel protests. Anonymous’ virtual support for the Occupy Wall Street movement also helped the movement multiply, although there’s some dispute as to how deep (or effective) their movement really was.  Less glamorously, Anonymous affiliate LulzSec cost Sony $171 million by shutting down the online Playstation Network for 44 days. Anonymous affiliate AntiSec’s attack on political risk company STRATFOR capped an extremely busy year for Anons. 2012 will probably feature even more hacks–not for money, but for, as they would say, the lulz.

Duqu and Industrial Cyber Operations

As CTOVision’s own Bryan Halpap wrote, the Duqu virus should be properly considered a payload of the Stuxnet virus rather than an entirely new animal:

Duqu seem to share a common resource base, code base, and methodology in loading and running executables. Essentially we can think of the ways Duqu and Stuxnet install and launch themselves as being similar enough to warrant either worry that it is the same perpetrator of Stuxnet, or that they have access to the source code of the Stuxnet threat. …At first, Duqu was largely reported to have come from the same folks who created Stuxnet.  This simply doesn’t have to be the case.  The techniques could have been copied or even stolen wholesale by the malware authors.  Duqu also behaves differently and uses different infection methods.

True, Duqu is an spy virus rather than an damage-inflicting agent like Stuxnet. So what’s the big deal? As Bryan says, the problem with Duqu is that the information it collects is probably recon data for future exploits. Stay tuned.

The Advanced Persistent Threat continued to be….advanced and persistent. Only this time the US is caught up in combining cyberforensics with active counterespionage–there is, after all, no such thing as purely defensive counterintelligence. The American probe found 20 groups–most of whom have ties to the Chinese People’s Liberation Army–responsible for the vast amount of Chinese cyberspying. The Russians continued to hack and spy for economic and technical goodies too, according to the National Counterintelligence Executive….along with erstwhile US allies also wanting to get their fingers in the cyber cookie jar. Thanks guys (not).

It’s worth pondering this quote from former French intelligence chief Pierre Marion: “It would not be normal for us to spy on the United States in political or military matters, but in the economic and technical spheres we are competitors, not allies.” Whether from the Land of the Pandas or the State of Escargot and Impossibly Cute Audrey Tautou Movies, technical espionage threats exist in both cyberspace and “meatspace” and are likely to continue to be both operational and political issues in 2012.

Drones Gone Wild

In the midst of all of this craziness, the drones went wild. Err, not perhaps the way you might think of it, but something very disturbing happened at Creech Air Force Base. As Danger Room’s Noah Shachtman reported, the drone “cockpits” were infected with a keylogger virus. CTOVision’s Alex Olesker had a must-read blog on why the attack had grim implications for US cybersecurity:

In some ways, the official statement is more worrying than even the most sensational initial accounts as it suggests a disconnect from cybersecurity realities. First, it’s too quick to dismiss what may have been a real threat. According to Microsoft security architects, once a credential stealer gets a foothold on your network, it typically takes between 24 and 48 hours to gain Domain Admin credentials and access to every account and workstation. An anonymous official has claimed that the malware only targets online gaming accounts, but this has not been confirmed or attributed. If the 24th managed to isolate the virus, they may have squashed a nuisance or they averted a crisis. Their confidence in defensive measures is even more unsettling. “Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach,” the release claims, “We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods.” That the Air Force feels safe behind a cyber Maginot Line, as Professor Rick Forno would say, does not fill me with confidence, especially when the virus has already penetrated “air gaped” systems, the gold standard in network security.

Alex would later return to the subject, reporting on the new details that have come to light in the case:

While Kehler remains very confident in the Air Force’s defenses, he also set more realistic goals in line with a “plan to fail” paradigm. ”We see multiple deliberate attempts to try to get into our networks, almost daily,” he noted, but thankfully “ the systems that we have put in place to detect such viruses worked… Perfect defense is probably not something we can achieve, but the idea of mission assurance is something we must achieve.” …Still, if current defenses worked as well as the Air Force claims, the virus would not have spread and become so hard to eradicate. The difficulties in cleaning infected computers and identifying the attack vector imply insufficient remediation and forensics tools, important elements of “plan to fail” and presumption of breach based security.

It’s still unclear how exactly the cockpits were infected, and we may not find out for a very long time.

Mobile Malware

A more mundane, but equally serious, cybersecurity threat has been the rise of mobile malware. Criminals took in $1 billion from Android users, and more feeding is likely to come. Mobile malware-infected apps for Android jumped 472% between July and November 2011 alone. Halfpap had some strong words on the subject:

Android is supposedly secure from the ground up, running a Linux kernel (with many adaptations), a walled-garden application model, system architecture to increase security (DEP, ASLR), application permissions, and more. Unfortunately, holes or bypasses have been found in nearly all of these security features. Some, like the application permissions model, may require significant overhauls in order to maintain security. …The security of the platform in question is not just notable for what has been broken or evaded,  it’s notable for what it doesn’t include: fine-grain enterprise management and mature management tools. Android from its inception has been primarily a consumer device and its somewhat meager corporate tools reflect this path.

While the problem seems to be overwhelmingly Android’s, Apple fanboys should not get cocky. A red teamer was able to sneak a malware-laden app past Apple’s walled garden into the App Store. Mac users could face their own potential mobile malware nightmare.

Conclusion

2011 was more cyberdangerous than 2010. And 2012 is likely to also surpass 2011. But while it may seem hard to believe, the greatest dangers in cyberspace for most users are not Anons or master foreign hackers but the online equivalent of petty theft and burglary–or over-friendly Nigerians seeking a business deal. Despite overheated claims of cyberwar, we’re currently enjoying a (somewhat criminally-prone) cyberpeace. But who knows—maybe that’s just the lull before the storm.

Related articles

• What You Need to Know About Duqu (ctolabs.com)
• The Cybersecurity “Wake Up Call” and the Snooze Button (bobgourley.com)
• Stuxnet, Duqu Date Back To 2007, Researcher Says (fedcyber.com)