CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Bob Gourley

Bob Gourley

Time For A Fourth Law of Robotics

Science fiction fans recognize Asimov’s prescient thoughts on robot programming, captured in his three laws of robotics. In Asimov’s sci-fi world, robots were all programmed to protect their humans (the first law), to obey their humans (the second law) and to protect themselves (the third law). These laws laid the foundation for many fantastic, futuristic stories and have long provided actionable concepts for today’s robots, including those we launch over our modern battlefields. As the stories advanced, he later added another law, called the “zeroth” law, which had priority over all the others, “A robot may not harm humanity, or, by inaction, allow humanity to come to harm.”

Experience, especially experience in cybersecurity, has opened our eyes to the need for another law of robotics. Our robots, including unmanned aerial vehicles (UAVs), are all designed to communicate continuously when operating, and, unfortunately, these communications have been shown to have vulnerabilities. Many UAVs operate with light or no protections on their internal systems or the communications they have with other systems in the air and on the ground.

The enduring challenges of cybersecurity and the need to include security in the design of our systems from the beginning means it is time for a new law, a fourth law, of robotics.

The new law of robotics is:

There will be no unauthorized access of any robot communications.

Read more about the need for this law and its implications at The Cyber Edge blog at AFCEA.

Read more about robots at Things Cyber Robotics Page  Robots and Robotics What You Need To Know.

What You Need To Know About Mary Meeker’s State of the Internet Report

We should all collectively thank Mary Meeker for her continued efforts in helping capture key trends in our interconnected technology. Her yearly report on the state of the Internet (embedded below) provides context relevant to just about every enterprise decision-maker.

Here are key takeaways:

  • Global smartphone growth is slowing. Growth was 10% two years ago, and only 3% last year. Growth in Internet connectivity is also slowing. My view: This is to be expected. Now expect continued slow growth till 100% of humanity upgrades from old school cell phones to smartphones. Same with Internet connectivity. We are on path to 100% connectivity but we are in the long tail phase. A more important number to track is percent market penetration vice rate of growth. For the U.S., we are now at over 80% market penetration for smartphones (not in Meeker’s brief, see ComScore).
  • The trend towards voice interaction with computers is heating up. 20 percent of mobile queries are now made via voice. Expect that to grow. Expect growth in the home and office too. Meeker points out that Google’s ability to understand voice is reaching the 95% accuracy rate. So you might ask yourself, when will it be as good as humans at understanding language? Guess what, humans are not perfect at understanding spoken language and have about the same error rate. To me this means computer based language understanding has a good chance at being better than human understanding of spoken language really soon. Stand by!
  • Meeker does a fascinating job of highlighting how many successful leaders and entrepreneurs are also fans of gaming. Global interactive gaming is becoming a common experience for a huge percentage of humanity, with over 2.6 billion gamers in 2017. Meeker makes point that in many ways global interactive gaming is helping humanity prepare for the coming shift in computing interfaces.
  • Cloud computing is turning out exactly like tech leaders (including all you CTOvision readers) have been predicting. It is providing more opportunities for enterprises of all sizes (from the smallest business to the largest corporation and governments). It is also providing incredible opportunities for entrepreneurs, innovators and investors. And individuals are also benefiting tremendously. But, there are still risks that have to be mitigated and security issues to resolve. As more and more applications and services migrate to the cloud, more will be required for security.
  • In healthcare, Meeker shows three great waves of how healthcare is delivered. For most of humanity, healthcare was done by human touch and physical examinations. For the last 25 years, there has been machine assisted and analog technology support. Today we are seeing the rise of digital technology in health care delivery. This is generating new data cycles aimed at improved outcomes is: Digital Inputs, Data Accumulation, Data Insight, Translation for Impact.

And on a humorous note: 

Mary’s slide decks are full of informative graphs. I have a graph I would like to present too. The graph below plots the number of slides in her presentation, going back to 2006.

Ha! So analyze that! Looks to me like the number of slides in the State of the Internet Brief have hit the knee of the curve and can now be expected to double every year. If this doubling continues then in just 12 years it will contain over a million slides. In 33 years there will be more slides in her brief than there are smartphones in the world! (Mary if you are reading this I hope you are smiling! I would like more slides because I love what you are doing!).

The So-What:

On a more serious note, the most actionable thing the brief should do for enterprise technologists is help you to think through current business processes. There are many continuous questions to ask yourself. For example:

  • How do you learn to more rapidly access the impact of new technology on your business model?
  • How does your understanding of the future of IT inform decisions on technology selections for your enterprise?
  • What do you do to better secure your infrastructure?
  • What do you do to better empower your workforce to take advantage of the new realities of technology?

We hope that as you think through those questions you stay with us at CTOvision for continued updates. Please be sure you are signed up for our monthly newsletter and our daily alerts by visiting our Newsletter Settings page. And track the latest on Twitter at @CTOvision.

 

Enterprise Security and Functionality Benefits of the new Software Defined Perimeter (SDP) Approach

The dynamic nature of today’s IT Operations has eroded the network perimeter in ways we have all been watching and even cheering on! This is a new world of mobility, cloud computing and rapid partnering for success.

But the erosion of the network perimeter is making traditional security a roadblock to efficiency. No one wants to allow holes to be poked in the security system but no one wants to shut down connectivity to partners either.

The Software Defined Perimeter uses software techniques to render the internal environment invisible to all outsiders, unless trust is granted. Secure connectivity is provided only to trusted users and devices. The SDP approach was pioneered by proven enterprise IT, cloud computing and security experts working collaboratively together under the Cloud Security Alliance (CSA).

SDP Combines:

  • On-device authentication
  • Identity-based access
  • Dynamically provisioned connectivity

Key benefits of this approach include the following unique security properties:

1) Information Hiding

No DNS information or visible ports of protected application infrastructure. SDP protected assets are considered “dark” as it is impossible to port scan for their presence.

2) Pre-authentication

Device identity (of the requesting host) is verified before connectivity is granted. Device identity is determined via a MFA token that is embedded in the TCP or TLS set up.

3) Pre-authorization

Users are provisioned access only to application servers that are appropriate for their role. The identity system utilizes a SAML assertion to inform the SDP Controller of the hosts’ privileges.

4) Application Layer Access

Users are only granted access at an application layer (not network). Additionally SDP typically whitelists the applications on the user’s device – thus provisioned connections are app-to-app.

5) Extensibility

SDP is built on proven, standards-based components such as mutual TLS, SAML and X.509 Certificates. Standards based technology ensures that SDP can be integrated with other security systems such as data encryption or remote attestation systems.

For more information on this approach contact us

Executive Order Underscores Need For Leadership Accountability In Reducing Digital Risk

The 11 May 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure is notable for several reasons. The order is significant as it discusses improvements to the federal government’s (and the nation’s) digital infrastructure, protection of the power grid, replacement of antiquated IT systems, and protection against cyber threats. It also makes it clear that government leadership is accountable for cyber security. Agency heads can no longer delegate responsibility for cybersecurity to their IT staffs. Risk management of assets is now a part of their mission and must be administered with resources (time, budget, and people) to accomplish this.

Many of us in the cybersecurity community see this order as a positive step. Cybersecurity has always been a leadership issue, but something about human nature has made it incredibly hard for many leaders to get that. This has resulted in an observable phenomenon we call “cyber threat amnesia“, where leaders of organizations forget about the cyber threat as soon as the last problem was handled. As evidence that this phenomenon is part of our nature, we have also long documented a problem the community has in considering every new major attack a “wake-up call“.

We have conducted cybersecurity assessments of firms across multiple sectors of the economy and the government, and have found one key factor is the most important to assess in any organization: If the leader is aware that reducing digital risk is not just an IT function then there is hope. If the leader does not understand this point then educating that leader becomes the priority.

This brings us back to the cybersecurity executive order. We know for a fact that more leaders today are aware of cyber threats and know they must be treated seriously. But by underscoring that agency heads and cabinet department officials are responsible the executive order makes it clear that leaders must lead, and that is very good.

Another thing we really like about the executive order is the requirement that agency heads leverage the NIST Cybersecurity Framework. We have seen first hand how use of this framework can help organizations form a comprehensive look at their policies, process and technology. One of the benefits of the NIST Cybersecurity Framework is it’s language and approach form a taxonomy of common terms that can greatly help in communication around cybersecurity.

As agency heads move to leverage the NIST Cybersecurity Framework, we urge all to keep in mind that it does NOT adequately address a key component of cyber risk mitigation: the use of external insights to optimize defense. Most in the community are calling this cyber threat intelligence. But what we are really talking about is how to get information from outside the organization that can help defend the organization. This includes subjects like learning what adversaries are doing (so you can optimize defenses against them), learning what your attack surface looks like (so you can spot vulnerabilities and reduce them) or learning successful defense lessons from others in the community.

There are many best practices and solutions that can help address these gaps. One free to use solution in use across government today is the investigative toolset called PassiveTotal by RiskIQ. PassiveTotal makes it easy to discover and proactively block malicious infrastructure and provides analysts with a single view into the data they need for discovering what adversaries are doing.

Other references we recommend for agencies moving out on implementing the executive order include:

Could A Technology Loop Be Causing Your Epic Mind Fail?

It is a fact of modern life: We all run the risk of getting too distracted by our IT, especially IT connected to our social media. Today, for example, my priority is finishing a White Paper for a favorite client, and I promise I will do that, but I just saw this really cool clip on YouTube from Portlandia and I had to share it with you. Then I promise I’m turning off all external comms and getting back to my writing.

In the clip, the great modern social philosopher commentators Fred Armisen and Carrie Brownstein use a bit of humor to show the dangers of getting stuck in a technology loop. Watch it and be warned! And laugh! But then think of how better your life might be if you unplugged for a while.

Watch The Technology Loop

For more fun:

Cybersecurity Due Diligence: Now a best practice in Merger & Acquisition (M&A)

Cooley is an international law firm recognized for its technology practice and experience in multiple practice areas, including Mergers and Acquisition (the firm has handled over 1,000 M&A transactions since 2010). In a recent post on the Cooley M&A website titled Cybersecurity Diligence in M&A Transactions, Cooley partners Andrew Lustig and Randy Sabett  bring clarity to a clear trend in the marketplace: cybersecurity diligence is now a part of the M&A diligence assessment.

Lustig and Sabett put it this way:

Historically, M&A due diligence focused on “traditional” risk areas such as tax, employment and benefits, intellectual property protection, and contracts (inbound and outbound). As technology advanced and software became a more significant, if not the primary, asset due diligence evolved to include such things as software escrow (where a third party may have copies of a target’s source code) and open source software (where ownership of a company’s source code might be tainted by claims by the open source community) among other things.  Specialists with substantive knowledge are now often brought in to perform detailed diligence in these technical areas.

Today, it has become apparent that cybersecurity has become one of the areas where substantive diligence should be conducted not just as an afterthought but as an integral part of the M&A process for any deal, particularly those that involve targets with any kind of online presence. In fact, according to the “Cybersecurity and the M&A Due Diligence Process – A 2016 NYSE Governance Services/Veracode Survey Report,” 85% of public company directors and officers say that an M&A transaction in which they were involved would likely or very likely be affected by “major security vulnerabilities.”  In addition, 22% of those surveyed say that they would not acquire a company that had a high-profile data breach, while 52% said they would still go through with the transaction but only at a significantly reduced value.  The Verizon/Yahoo! situation and the recent Telstra/Pacnet deal highlights the importance of cybersecurity diligence and the benefits of having carefully-worded contractual provisions to reflect the parties’ negotiated risk-allocation for cybersecurity breaches after a deal is signed.

We have contributed to cybersecurity assessments on both side of M&A transactions. We have helped acquiring firms better understand the digital risks and security posture faced by the firm they are going to acquire, and we have helped firms that want to be in a better position to be acquired ensure they have taken prudent steps to reduce their digital risks.

If you are on the buy side of an M&A deal, you will want to make sure your cybersecurity due diligence delivers the information you need. This includes:

  • Information that may point to not yet revealed cybersecurity problems
  • Estimates of the cost to remediate cybersecurity issues
  • Information on the risk due to cybersecurity issues, including quantification if possible, since it could impact decisions on whether to consummate the deal or negotiate down the purchase price
  • Indications of compliance problems
  • Understanding of security frameworks/approaches
  • Understanding of the security architecture
  • Awareness of breaches and how they have been responded to

If you are on the sell side of an M&A the information above should motivate you to focus on your security posture. Other considerations include:

  • Does your entire executive team understand their role in cybersecurity?
  • Do you have strong governance (policy, process, leadership) that supports your security compliance requirements (which may well include, for example, the Gramm-Leach-Bliley Act (GLBA), FFIEC, FINRA, FISMA, HIPAA, HITECH, Fair Credit Reporting Act (FCRA), and others
  • Do you have an up to date, actionable cybersecurity policy? Do you have an incident response plan? Do you have a privacy policy that is actionable and applied?
  • What is the status of your technical defenses?
  • Have you had appropriate independent verification and validation of your approach to cybersecurity?

Whether you are on the buy side or the sell side of an acquisition, we recommend you start with a cybersecurity assessment to cover all aspects of cybersecurity people, process and technology.

Also see:

Leveraging The FFIEC Cybersecurity Assessment Tool (CAT) To Improve Corporate Culture and Raise Security Posture

The FFIEC (Federal Financial Institutions Examination Council) is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB), and to make recommendations to promote uniformity in the supervision of financial institutions. In 2006, the State Liaison Committee (SLC) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors (CSBS), the American Council of State Savings Supervisors (ACSSS), and the National Association of State Credit Union Supervisors (NASCUS).

For the last several years the FFIEC has been making contributions to cybersecurity awareness, including initiatives aimed at helping financial institutions better understand and deal with cybersecurity risks. In June 2013, the FFIEC announced the creation of the Cybersecurity and Critical Infrastructure Working Group to enhance communication among the FFIEC member agencies and build on existing efforts to strengthen the activities of other interagency and private sector groups. In addition, the FFIEC began assessing and enhancing the state of the industry preparedness and identifying gaps in the regulators’ examination procedures and training that can be closed to strengthen the oversight of cybersecurity readiness.

On 30 June 2015 the FFIEC released a new Cybersecurity Assessment Tool. This tool is intended to help financial organizations large and small better assess and understand risk and also the organization’s maturity in cyber defense.

We have worked with financial institutions and other high risk organization in cyber security assessments for years and have seen first-hand the benefits that the FFIEC approach can provide to organizations. We have also captured many lessons learned from our engagements across the financial (and other) sectors regarding this approach. We share some of those lessons here:

  1. The most important lesson is to understand that the FFIEC CAT should not be seen as just a compliance drill. Regulators will check you for compliance and that is very important. But if used correctly it can also help an organization become more efficient, effective and more secure.
  2. The tool is meant to help and is not designed to be a one-size-fits-all approach. It is best when tailored to your specific organization.
  3. The most important determinant of whether or not the tool will work for you is the attention it gets from senior leadership. And getting their attention means approaching it with the vision of leveraging it to support and enhance business functions. In the financial industry that usually means focusing on enhancing trust among customers and partners.

Here are more thoughts:

The tool has two parts. The first assesses the institution’s inherent risk profile based on five categories:

  • Technologies and Connection Types
  • Delivery Channels
  • Online/Mobile Products and Technology Services
  • Organizational Characteristics
  • External Threats

It is this first section that is the most problematic. It seeks to quantify cyber risks in a very simple way, and this is actually a very complex and hard to measure/quantify topic. On top of that, the best topics to address regarding risk are going to vary significantly from company to company, and even division by division for larger firms. Perhaps this first section can just be thought of as a rough plan to deviate from. It can be an important drill to seek to assess cyber risks, of course, but it seems both arrogant and naive of the FFIEC to think that they can produce a matrix that captures risk for every organization. Since most organizations in the highly regulated financial sector will already have a chief risk officer and many risk processes around cyber, maybe this section should just be offered as a template of considerations.

The second section of this tool brings some good ideas and approaches to evaluation of the organization’s Cybersecurity Maturity five domains:

  • Cyber Risk Management and Oversight
  • Threat Intelligence and Collaboration
  • Cybersecurity Controls
  • External Dependency Management
  • Cyber Incident Management and Resilience

This is were the tool can make contributions to many organizations. The descriptions and definitions for each of these domains and then the assessment factors in each domain are useful, especially for organizations that do not already have an approach to cybersecurity.

 

 

 

 

 

Thought Leaders In Direct Contact With Adversaries Provide Insights Into New Cyber Attack Techniques

One of the greatest things about the annual RSA Conference is the open sharing of lessons learned between cybersecurity practitioners. One of the sessions I found most rewarding and insightful focused on new cyber attack techniques. This session, moderated by the SANS Institute’s Founder and Research Director Alan Paller, included insights from Ed Skoudis, Michael Assante and Johannes Ullrich. Ed Skoudis leads pen testing and hacker exploits immersion training programs at SANS and conducts forensic assessments/diagnoses of major attacks and in doing so maintains continuous awareness of the state of attacks. Michael Assante is highly regarded for his deep knowledge of industrial control systems and is a champion of the emerging discipline of ICS security. Johannes Ullrich is the director of the SANS Internet Storm Center, the early warning system for the Internet.

These great leaders are all known for their ability to convey information succinctly and in ways that stick and this session provided an overview that brought out the best of their knowledge. They structured the discussion around seven new attack techniques.

The session is now available online:

Key takeaways:

  • Expect ransomware to continue to evolve: 150 different families of crypto ransomware today.
  • IoT attacks will continue to evolve: Already used for DDoS. Soon for data extraction.
  • Ransomware and IoT will collide: What if your IoT is shut down till you pay.
  • ICS systems will come under attack, including systems controlling manufacturing plants and buildings
  • Weak random numbers causing a growing concern: Need random numbers of greater entropy.
  • Reliance on web services as software components introduces new threats: Everyone dependent.
  • Threats against new databases (NoSQL) growing: Placing large data at risk.

There are things that can be done to mitigate all these threats. But stopping them starts with awareness.

If you are looking for insights into ways to beat these threats contact us today for more information.

Other Reading:

OODAloop Network Benefit: Direct participation with other members in monthly research meetings(Opens in a new browser tab)

White House Takes Action Against Chinese Intellectual Property Theft(Opens in a new browser tab)

Big Data Project Management: Data Must Flow!(Opens in a new browser tab)

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]