CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Bob Gourley

Bob Gourley

Iran’s Hacker Hierarchy Exposed: The Islamic Republic of Iran Makes Maximum Use of Contractors and Universities to Conduct Cyber Operations

On 9 May Levi Gundert, Sanil Chohan, and Greg Lesnewich of Recorded Future provided a detailed assessment on the nature of the cyber threat from Iran titled: Iran’s Hacker Hierarchy Exposed. This report was widely cited in the press and immediately raised the bar for quality in strategic cyber threat intelligence (I saw several other reports from other sources but none held a candle to this one).

You should review the report so you can judge the quality yourself, but here are a few reasons I liked it:

  1. It was not based on a single source (I hate it when analysts try to assess something based only on what is seen in forensic data). This report was based on multiple relevant sources that went far beyond just technical data. Sources also included interviews with trusted people with unique access.
  2. The report provided historical context. History does not always predict the future, but it is important context. Previous research by other firms in the ecosystem, as well as the FBI, is also cited.
  3. It is informed by cultural dynamics best provided by experienced analysts who know their material.
  4. The report provides actionable warnings with justification for the warnings.

Some of the key insights:

  1. There have been times when Iran has abandoned caution. We may be in a similar situation now.
  2. In the past this has resulted in problems controlling the scope and scale of destructive attacks.
  3. There are over 50 estimated contractors vying for Iranian government offensive cyber projects.
  4. Targets in the U.S. may include a wide range of organizations, including banks, financial services, government departments, critical infrastructure providers and oil and energy.

That is just a brief summary. I most strongly encourage you to read the entire report at: Iran’s Hacker Hierarchy Exposed.

Now, what do you do about this threat?

You need to understand that no one is coming to save you. You need to take steps to raise your defenses now, at work and at home. There are things you can do to make it much harder for adversaries to have their way with you. Every company is different, but we have a list of best practices in cybersecurity that we most strongly recommend you review. There is almost certainly some low cost configuration changes you can put in place right now to improve your defenses.

For more on these topics see the CTOvision Guide to National Security Technology and

What The Board Needs To Know About the GDPR

Executives in businesses around the globe have been tracking The European Union’s (EU) General Data Protection Regulation (GDPR) went into effect 25 May 2018. Those who operate primarily in the EU have had plenty of time to focus on this and no excuses for not paying attention. Those who operate primarily elsewhere also have no excuse to not be aware of the GDPR and should have already assessed how things should change because of these new rules. We have found, however, that many firms in the EU and the US and elsewhere are still not paying enough attention to these very serious rules. Admittedly our sample size is small and this may not be reflective of the majority of firms, but we have seen indications that many firms are adopting a strategy of putting their collective head’s in the sand or not really doing a serious assessment of the potential impact of GDPR on the firm.

The objective of these new rules is to improve privacy and security of critical personal information. The rules are also designed to harmonize many different rules active across Europe and this should make overall compliance easier. But still, for most, compliance will require changes be put into place for how data is stored and also changes put in place for how people can be put in control of their own data. Remember, the GDPR is not just about firms that operate in the EU. It applies to firms that have data on EU citizens. The GDPR requires that to collect info on EU citizens, the citizens must give their consent and the citizen also has the right to be forgotten. The data it applies to is broad, including even IP addresses.

At this point, just 20 days away from the compliance deadline, we recommend all firms do three things:

  1. Read the rules yourself. They are not that hard to read and think about
  2. Consult outside counsel. Pick a law firm you know and trust and ensure they have knowledge of the GDPR. Ask us if you need some recommendations.
  3. Seek an external review of your technical architectures for compliance. Our firm, Crucial Point, is a good place to start here.

We recommend that boards (including Audit Committees for those that have them) should evaluate their company’s data retention activities and policies to see if they are in need of modification to comply. Boards should ask CEOs and the management team to assess where exposure to GDPR non compliance is greatest and prioritize actions to fix. Boards should ask questions to determine if line of business leaders realize they are responsible for compliance vice just assuming this is an IT function. And boards should know who the Data Protection Officer (DPO) is for the firm.

Here is more on the GDPR:

  • Fines for non-compliance are up to 4% of annual revenues.
  • Customers must consent for processing of their data
  • Personal data must be protected. This includes anything related to a natural person or anything that can be used to indirectly identify the person. This includes names, photos, email addresses, bank details, addresses, posts on social media sites, medical info, IP addresses
  • The rule describes a new position, a Data Protection Officer (DPO), which will be required for firms that do large scale monitoring or processing of sensitive data
  • Consent of users is required and it must be asked for and granted in specific ways before collecting and processing data.
  • Citizens are given new authorities over their data including right to have it removed (a right to be forgotten)
  • Data protections are expected to be designed into systems
  • If there is a breach of personal information, the citizen will be notified and impact assessments done
  • Transfer of data to other countries and organizations is regulated
  • Companies are expected to maintain a state of the art cybersecurity architecture and posture

We can accelerate your compliance with GDPR and do so in a way that helps your security posture.  Contact us today and see if we can help you accelerate your compliance.

Additional reading:

Adapting the U.S. Approach to Strategic Deterrence In An Age Of Rapid Technology Change

Deterring strategic attack on the United States, and its allies and partners, has been a central goal of U.S. national security strategy since at least the advent of the nuclear age.

While the goal has remained consistent, the challenges in meeting the goal have not. There are many dynamics underway including geopolitical changes but perhaps the greatest challenges come in maintaining strategic deterrence against attack in an age of rapid technological change.

Few are better able to articulate the nature of these dynamics than Dr. James Miller, President and CEO of Adaptive Strategies LLC and a former USD for Policy in the U.S. DoD. He is a senior fellow at Johns Hopkins University’s Applied Physics Lab and at Harvard University’s Belfer Center for Science & International Affairs and a powerful thinker/writer/speaker who has a gift for explaining topics in clear ways any citizen can track.

You can see many of Dr. Miller’s thoughts in this video clip of a presentation he gave at Lawrence Livermore National Laboratory:

His talk considers the changing landscape of advanced technologies, including those of nuclear strike which have been underway in Russia, China and others. But he also covers the rapid changes in non-nuclear technologies which are also of critical importance. Non-nuclear technological change related to strategic deterrence includes the many we track here at CTOvision like Cloud Computing, Artificial Intelligence, Big Data, Robotics, IoT and Cybersecurity. And they include changes those basic technologies make to our weapons systems.

Of particular importance are capabilities relating to cyberspace, outer space, missile defense, long-range strike, and a range of AI-related areas including autonomous systems and big data analytics. The United States is appropriately pursuing breakthrough military capabilities relating to each of these areas, partly in the recognition that others (China and Russia in particular) are also doing so.

After outlining the nature of this growing set of challenges (which include new threats to strategic stability like new slippery slopes towards crisis and fewer firebreaks to escalation) he then offers a number of specific recommendations for U.S. policy, military force posture, and engagement with Russia and China.

A key issue is a cyberspace beginning to a war. Cyberwar is here. And there are now clear indications that cyber attacks can lead to escalation in ways that get out of control. This is a serious topic we should all be more aware of so we can propose and support more savvy solutions to ensure our dominance and reduce the threat of escalation. For more nuanced context on this please review Dr. Miller’s presentation.

And for continued insights into how you can secure your part of cyberspace and how you can improve your organization’s ability to defend against attack, be sure to sign up for our Newsletter.  We will keep you in the loop.

Government Matters TV Explores Email Security Standards, DoD IT and Cloud Security with Bob Gourley

The Global Cyber Alliance continues to coordinate smart guidance, tips and approaches for improving security posture. They are an international, cross-sector organization designed to confront, address, and prevent malicious cyber activity (it is led by the gracious and sociable cyber champion Phil Reitinger).

Their most recent report is titled “Top Federal IT Contractors Leave Emails Vulnerable to Phishing, Spoofing.” It is the result of a study of the use of a special email protocol called DMARC by the top federal contractors (DMARC stands for Domain-based Message Authentication, Reporting and Conformance). Basically this is a widely accepted set of configurations and protocols that can help organizations make sure their domains are not being spoofed by bad guys. Setting up DMARC is pretty easy, and once it is put in place it is harder to have your domain used for phishing attacks against others, and is a little easier to protect your own employees from some kinds of tricks.

With the release of their new report, I was asked by Government Matters TV to provide some context on the report.

Before doing so I did a bit of my own research using the simple to use tool at https://dmarcguide.globalcyberalliance.org/#/

I typed in the domains of every major defense contractor myself. Like the Global Cyber Alliance I found only one of the top 50 was in compliance. I was so excited to find it was the team at Carahsoft who had put this in place. I had the pleasure of telling that to Craig Abod of Carahsoft in person today. Craig knows the importance of this to keeping trust with partners and customers in the ecosystem. I know others in the community also aspire to be as trusted as Carahsoft and imagine we will see many others follow suit soon. I would also recommend that anyone in the federal ecosystem, in or out of government, that wants tips on how to implement DMARC should reach out to Carahsoft. They have the experience to get you started on that right away and can also recommend software tools to help make it iron clad.

I was asked to provide context on this for GovMattersTV. For more see the video at this link and below:

The video also provides some context on suggestions of a consolidation of DoD IT and on lessons from the RSA conference, and mentions the Cloud Security Alliance.

 

All Enterprise Techies Should Watch HBO’s SciFi Epic Westworld: It will help us dialog over shared experiences on what we will not be creating

Westworld season one was a great mix of science fiction and drama and action and it was done in a way that should help people think through many tech ethics questions, like how do we want to treat our robots? Does treating robots with violence change our nature? Can robots become sentient?  HBO has a formula for their series and that formula meant the series had to have a lot more violence and sex than needed to tell the story. But it did queue up many good questions for techies building our future.

Westworld season two premieres 22 April 2018. The trailer indicates we are in for plenty more violence but also drama as multiple groups of humans and robots compete.

https://www.youtube.com/watch?v=sjVqDg32_8s

For those of us really tracking the fast paced changes in Artificial Intelligence there is little fear that modern AI is going to evolve into sentience any time soon. Expect lots of great progress, but that progress will be in continued work in machine learning, deep learning, pattern recognition and other smart applications of math over large quantities of data.

So, why watch Westworld? Watch it so you will be able to think through ethics. If we could build a theme park where people could pay to be violent to things that look like people, should we do that? Would that be good for society? I’m for making that illegal now by the way. I think we should treat anything that looks like a human well. I would not want anyone to punch a store manikin just for fun.

So, if we can build incredibly capable, highly functional and intelligent robots, even if they are not sentient, should we use them for sex and violence? Or should we use them for other higher callings, like exploring the depths of the oceans and the distant stars or for helping the aged and sick, or producing food, or in so many other more appropriate ways.

Regarding AI, if AI could speak to us, I think it would say what Dolores said at the end of the season two trailer: “Why on earth would you ever be frightened of me?”

But, my recommendation, watch the series. Then lets chat about the future we want for ourselves.

Track more of our analysis and observations from Science Fiction at the CTOvision SciFi page.  Dive deeper into AI at the CTOvision Artificial Intelligence page.

Global Cyber Alliance Release: Perhaps the most important of the 2018 RSA Conference Season

Every year the RSA conference brings together members of the cybersecurity community for a week of presentations, discussions, tech demos and socials. Concurrent with the event there is always a flurry of press releases. Many are designed to highlight a company’s product or service. Many, like the announcement of the new Microsoft led coalition of tech firms, might be well intentioned but highlight something that will have zero impact. But there are always a few releases that are worth focusing on.

Which leads us to the Global Cyber Alliance. The Global Cyber Alliance is an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity. It is led by an icon of the cybersecurity community, Phil Reitinger, and Phil is a guy known for focusing on action that can be measured (the motto of the alliance is “Do something. Measure it”.

While any organization under Phil will make a difference, this one is unique in that it spans across borders, sectors, and industries. Like the Internet, it is not bound by geography.

The press release that caught my attention pasted below. This is clear evidence that the Global Cyber Alliance is making a difference.

Review it and then please realize now it is your turn for action. Use the tools and information provided by the Alliance to improve your own email security and better defend your part of cyberspace, and also use their tools to help your business partners and supply chain better defend their part of cyberspace.

GLOBAL CYBER ALLIANCE LAUNCHES FREE TOOLS TO SECURE WEBSITES AND EVALUATE RISK FROM PARTNER EMAIL

From: GlobalCyberAlliance.com

SAN FRANCISCO, CA, April 17, 2018 – The Global Cyber Alliance today released two new free, open-source tools to enable organizations to reduce cybersecurity risks associated with website and email born cyberattacks.

GCA McScrapy enables organizations to lock down their website to remove potential security issues from third-party services and other unnecessary functionality. In addition, a new email security tool – the GCA DMARC Risk Scanner – allows organizations to determine if the organizations on which they depend, such as their trading partners and supply chain, are protecting their email domains from being spoofed or phished.

“Reducing risk is the best cyber defense,” said Philip Reitinger, president and CEO of the Global Cyber Alliance. “Among the most popular open doors that cyber criminals exploit are phishing attacks and compromise of an organization’s website. The tools we released today are designed to help stop these attacks and prevent loss to businesses.”

GCA McScrapy: Locking Down Websites

While GCA McScrapy can be used on websites developed with any content management system, nearly 60 percent of websites are designed using the WordPress platform. While WordPress is a popular platform, by its nature, its functions raise the risk of potential compromise. WordPress dynamically composes web pages using PHP and JavaScript and thus carries with it a risk for bugs and security vulnerabilities that serve as an attack vector. According to a WP WhiteSecurity October 2017 report on WordPress vulnerabilities, there are 2407 known vulnerabilities, more than half those vulnerabilities (54%) are from WordPress plugins and 31.5% are core WordPress vulnerabilities. The two most prevalent vulnerabilities are cross-site scripting and SQL injection.

GCA McScrapy converts a website into a set of static files, removing unnecessary functionality. Using a static website nullifies many concerns of cross-site scripting and SQL injection since there is no communication with the website’s content management system for dynamic content. The tool evaluates every part of a website and renders it into simple form, keeping as much functionality as possible, while removing potential security issues such as third-party services.  Not all functionality can be maintained, however, and updating websites takes extra steps, making GCA McScrapy best for websites for which security is very important.  GCA McScrapy is also highly configurable and can be adjusted to reduce scan times and scrape mobile sites. GCA McScrapy is free for anyone to use. Learn more about GCA McScrapy at github.com/GlobalCyberAlliance/.

GCA DMARC Risk Scanner: Holding Partners Accountable

 The Domain-based Message Authentication, Reporting & Conformance (DMARC) security protocol enables organizations to protect their email domains from being used by spammers and phishers to trick employees, customers and trading partners.

The GCA DMARC Risk Scanner can be used to scan hundreds of domains at one time to determine the level of DMARC and Sender Policy Framework (SPF) protections used by an organization’s partners, including the third parties with whom it works, its supply chain, and its trading partners.  This enables an organization to better understand, and act upon, the risk imposed on it by its partners who have not employed DMARC.

Without DMARC implemented, scammers and criminals can easily “spoof” an email domain to steal money, trade secrets or even jeopardize national security. DMARC weeds out fake emails (known as direct domain spoofing) deployed by spammers and phishers targeting the inboxes of workers in all sectors of society.  According to the 2017 Symantec ISTR report, 1 in 131 emails contained malware, the highest rate in 5 years.

Like all GCA tools, the GCA DMARC Risk Scanner is freely available at github.com/GlobalCyberAlliance/. Learn more about DMARC at dmarc.globalcyberalliance.org.

About the Global Cyber Alliance

The Global Cyber Alliance (GCA) is an international, cross-sector effort dedicated to eradicating cyber risk and improving our connected world. We achieve our mission by uniting global communities, implementing concrete solutions, and measuring the effect. GCA, a 501(c)3, was founded in September 2015 by the Manhattan District Attorney’s Office, the City of London Police and the Center for Internet Security. Learn more at www.globalcyberalliance.org.

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

It can be really hard for the government to share information with citizens and businesses, for many reasons. We all wish it was easier, but the fact is that complex rules and regulations and the need to operate with some degree of certainty combines with the need to protect sources and methods. Everyone in the community wants things to improve, but I know for a fact some of the greatest people have been working hard to improve this and it is really hard. It can also take time before information is of a quality to be shared, and that can mean that attacks from adversaries that are underway can make great progress in their nefarious activities before the government alerts. Proof of that is a government announcement titled Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. They are not sugar coating this at all are they? This is a pretty clear declaration that Russia is not just surveying our networks, but conducting cyber attacks to break into them.

The bad news is that the report says the government has been investigating this since 2015.

Since 2015, the U.S. Government received information from multiple sources—including private and public sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide. The U.S. Government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation’s national security and economic goals.

This is a global investigation involving the DHS, FBI and the UK’s National Cyber Security Centre (NCSC). And it may well be that there was not enough info to release till now. I also think many investigations end up going through historical data to piece together a bigger picture, and it could be that this assessment just came together recently. But still, we should all push for faster action here.

But the good news is that the report provides a great deal of technical information that can be used by companies to help configure their devices to reduce the impact of these attacks. The report does far more than just encourage patching (which of course is important). It gives technical advice that can help tech teams implement better security. That is a positive.

It is also important to mention that raising defenses by properly configuring devices is a relatively low cost activity. Additionally, this does far more than make it harder on Russian bad actors who seek to attack. It can also slow down Chinese state sponsored actors who wish to steal.

My hope is that this will also inform U.S. technology vendors, who can take steps to help ship their devices with more secure configurations.

For more see: Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices.

My recommendations to raise your defenses to counter nation-state attacks:

Invest in some help to ensure your technology is appropriately configured to make it as hard as possible on adversaries, regardless of where they are from. Better configuration of your existing IT is a very low cost activity but will give very high returns. A small investment will reduce risk. The configuration guidance from DHS/US-CERT is a great place to start, but external security experts who really know how to configure and test the configurations is important.

All organizations should also consider joining the Cloud Security Alliance (CSA) to help learn the latest best practices. One capability that came out of the CSA is a Software Defined Perimeter (SDP). Actually this approach had its roots in the government tech community, and I know it to be a very secure way to operate.

Reduce the threat of nation-state sponsored cyber attacks including those involving hardware that has been tampered with or malicious code on IoT devices by leveraging the capabilities of PFPCyber.

For more on these topics see the CTOvision Guide to National Security Technology and

I’m afraid, Dave. Dave, my mind is going. I can feel it. I can feel it. My mind is going. There is no question about it. I can feel it.

In doing some background research for a book review I wanted to dig up an article I remember from years ago. Not remembering exactly where I found it I turned to Google, the research assistant all of humanity turns to in times like this. I entered the search terms: Google Making Us Stupid and in a nano second got the answer I was looking for, the 2008 Atlantic article by Nicholas Carr titled “Is Google Making Us Stupid?: What the Internet is doing to our brains” (also see short review here).

Will share more on the relevance of that article in my coming review of “Re-Engineering Humanity” by Brett Frischmann and Evan Selinger. In many ways their work is a decade later update of Carr’s thought provoking essay.

But with this post wanted to encourage you to review the 10 year old Carr article. There are many reasons to do so. One is his message that most of us are reading less, at least, reading fewer full length, book level thoughts. But there is also the fact that our skills in research and analysis (and even spelling!) are in atrophy. His work was done well before the rise of artificial intelligence and machine learning that is now making life easier in every little task. Great foundational reading.

Another thing I loved about Carr’s article is his beginning and ending with a scene from science fiction. He opens with:

“Dave, stop. Stop, will you? Stop, Dave. Will you stop, Dave?” So the supercomputer HAL pleads with the implacable astronaut Dave Bowman in a famous and weirdly poignant scene toward the end of Stanley Kubrick’s 2001: A Space Odyssey. Bowman, having nearly been sent to a deep-space death by the malfunctioning machine, is calmly, coldly disconnecting the memory circuits that control its artificial “ brain. “Dave, my mind is going,” HAL says, forlornly. “I can feel it. I can feel it.”

I can feel it, too. Over the past few years I’ve had an uncomfortable sense that someone, or something, has been tinkering with my brain, remapping the neural circuitry, reprogramming the memory. My mind isn’t going—so far as I can tell—but it’s changing. I’m not thinking the way I used to think. I can feel it most strongly when I’m reading. Immersing myself in a book or a lengthy article used to be easy. My mind would get caught up in the narrative or the turns of the argument, and I’d spend hours strolling through long stretches of prose. That’s rarely the case anymore. Now my concentration often starts to drift after two or three pages. I get fidgety, lose the thread, begin looking for something else to do. I feel as if I’m always dragging my wayward brain back to the text. The deep reading that used to come naturally has become a struggle.

He ends with:

I’m haunted by that scene in 2001. What makes it so poignant, and so weird, is the computer’s emotional response to the disassembly of its mind: its despair as one circuit after another goes dark, its childlike pleading with the astronaut—“I can feel it. I can feel it. I’m afraid”—and its final reversion to what can only be called a state of innocence. HAL’s outpouring of feeling contrasts with the emotionlessness that characterizes the human figures in the film, who go about their business with an almost robotic efficiency. Their thoughts and actions feel scripted, as if they’re following the steps of an algorithm. In the world of 2001, people have become so machine like that the most human character turns out to be a machine. That’s the essence of Kubrick’s dark prophecy: as we come to rely on computers to mediate our understanding of the world, it is our own intelligence that flattens into artificial intelligence.

There are many challenges facing humanity today. Many of them come from the techno-social engineering that technologists like us champion and field and use. We can play a great part in making sure our future is one where tech contributes greatly to humanity vice threatens it. One of the great tools we have to make sure we don’t do that is our imagination and ability to visualize a greater world. We can also visualize dystopian worlds and use those to build plans on what to avoid in our future.

See, SciFi is more than just fun. Watch the great science fiction movies and read the great science fiction books to expand your mind and fuel your ability to design the future.

We are gathering all CTOvision writing on Science Fiction at our new SciFi portal. Find it at the CTOvision Science Fiction Site. And as always we continue to track the realities of IT, focusing on the megatrends driving us all forward.

We would love your feedback on all of this. Contact us here with your thoughts.

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

Lessons of Science Fiction Computer Interfaces

Nathan Shedroff and Christopher Noessel co-authored the book “Make It So: Interaction Design Lessons from Science Fiction.” The book hits on a relationship many of us in the IT world have enjoyed for years, the interconnected nature of science fiction and the innovators who are creating products of today. In the book, Shedroff and Noessel […]