CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for George Romas

George Romas

Overcoming the Equation: Security = Friction

Why does security have to be so onerous? Is this password secure enough: Mxyzptlk? Wait, that might be vulnerable to a comic book dictionary attack (bonus points for Superman fans), so let’s add some numbers and special characters: M4xyZ!ptL#K. Not bad, but suppose policy requires 12 or more characters; we have to pad the password: 0M4xyZ!9ptL#K. Now that’s secure – good luck remembering it!

We’ve migrated to a userid-password society; as we’ve added layers of security, we password-protect each layer: PC (and now device), network, enclave, application, database, and storage (encryption). Don’t use the same password for everything, because if the bad guys crack one, they own you. We’re not done yet, though – badges for physical access, PKI, USB keys, SmartCards, soft certs, biometrics, Network Access Control, firewalls, IPS/IDS, SIEM … I could go on and on. As you try to simplify the user experience and reduce friction, the cost for security goes up. Userids and passwords are almost free. It’s much easier to use biometrics or a SmartCard to identify yourself to a system or application. However, those solutions require fingerprint readers, better encryption, key management programs, and card provisioning systems, which also translates to more people needed to manage the security infrastructure. A telling example is the Department of Defense and its approach to mobile security. After investing in deployment of secure physical and cyber access via the Common Access Card (CAC), it made sense to leverage that investment in the mobile realm. However, to use CAC with an Apple iPhone, you need to buy a sled – an iPhone case with integrated card reader. The solution works well, however the sled costs more than the iPhone!

Instituting secure computing behavior can be ingrained, but it has to be built into both policies and culture. Working in secure government spaces for over 30 years, I lock my computer screen at home whenever I step away, have a strong password on my WiFi network, encrypt sensitive personal data, and have mirrored hard drives in my Network Attached Storage (NAS) device. However, that behavior is somewhat “old school” and the product of a very focused environment. Today’s computing culture is characterized by instant-on, always on, and always connected. Anything that slows you down, like having to enter a PIN to unlock your phone, is friction.

Can we overcome the friction of security? There are some attempts to improve usability, with an accompanying decrease in the strength of secure solutions. Referring back to the CAC, and SmartCards in general, the National Institute of Standards and Technology (NIST) has published a draft of Special Publication (SP) 800-157, “Guidelines for Derived Personal Identity Verification (PIV) Credentials.”

Instead of dealing with the additional cost and usability issues of a sled, you can derive a credential from the original cert that resides on your CAC or PIV card. That derived credential is transferred to a mobile device’s internal storage or microSD card, and can be used to authenticate an individual to an organization’s resources. The derived credential isn’t as strong as the original because it’s cryptographically removed from the cert that was vetted and checked through a strict, formal process. However, the derived credential has less friction.

I’ll use another mobility example here, just because computing is becoming more and more portable as devices incorporate improved and additional capabilities. The primary method for protecting your device against tampering today is password or PIN. No one likes having to enter that PIN – it takes an extra 2-3 seconds of focused attention. Definitely not instant access! Plus it’s another password to remember (if you happen to have separate passwords to access accounts of different sensitivity)! So Apple came up with Touch ID on their iPhone 5s. Once you register a fingerprint, it’s a simple touch to the main button to unlock your device. Less friction equals better user experience while providing a better level of security.

There are other innovative solutions coming to market that embrace the idea of frictionless security. The main concept is to leverage big data to determine the unique identity of an individual based on his or her behavior. Over time, our use of devices and network resources will form a pattern; no two people should have the same behavioral patterns. One company that’s developed this approach is ThreatMetrix.

Their two-factor authentication solution consists of a unique device ID and the big data pattern associated with it. The solution is intriguing – if my behavior can be proven to uniquely identify me (what ThreatMetrix calls a Persona ID), then my access and interaction with network resources could be frictionless.

Relating back to my previous blogs on continuous monitoring and the IoT, this frictionless security will become even more important in the near future. Today, you log into work accounts (network, financial, remote access, personnel, maybe more) and home accounts (WiFi, shopping, travel, financial, social networks, definitely more) with at least userid/password, and possibly something more secure (two-factor, multi-factor). Imagine having to do the same for your refrigerator, thermostat, home security system, and automobile. As more computing devices and sensors become integrated in our daily lives, security becomes even more critical in protecting our privacy and safety. We have to develop security methods that are easy to use, yet provide sufficient protections to keep us safe. The equation needs to be Modern Security = Frictionless.

This post first appeared on George Romas’ HP Blog

 

The Internet of (Secure) Things – Embedding Security in the IoT

We’re seeing a glimmer of the future – the Internet of Things (IoT) – where anything and everything is or contains a sensor that can communicate over the network/Internet. The underlying technology enabling IoT is Machine-to-Machine (M2M) communications. Your running shoe tracks your workouts, sending the data to a mobile app. Your wristband tracks your daily activities, including sleep patterns. Your smartphone controls your television. Your tablet displays recorded videos from your home DVR, anywhere in the world. Your refrigerator tracks your food consumption and contacts a nearby grocery store to restock (someday delivered by drones!) Your car self-tunes and in the future may self-drive and be aware of your schedule (so will self-start and adjust the environment when it’s time to go to work). These are examples of consumer-oriented sensors and devices, but that has occurred in parallel with business, professional, infrastructure, government and military applications. Here are some examples…

Healthcare: Think of medical devices and how they’ve progressed – pin pricks for testing blood sugar to diabetes pumps to contact lenses that can monitor your blood sugar. Pacemakers can report statistics on your heart to doctors and hospitals.

Homes/Offices: Companies and utilities are building sensors into major appliances and HVAC systems. You can opt-in to smart metering so that a utility can load balance energy distribution. That capability is starting to reach into the home, with NEST thermostats and smoke detectors for example. Security alarm systems have communicated with operations centers and police for a long time, but now allow monitoring and control from your smartphone. These smart home technologies are also being applied to smart office buildings. Sensors throughout a building monitor power demand, air temperature and moisture, light levels and external factors (e.g. weather reports). That data is integrated with the building control system and room schedules to optimize energy consumption.

Transportation: For automotive vehicles, there are speed and red-light cameras, EZ Pass toll payments, bridge stress sensors, and traffic management systems outside the vehicle. Inside, there are diagnostic monitors, heads-up displays, adaptive cruise control, and integration with smartphone or in-vehicle GPS/mapping systems. Similar sensor systems exist for rail, sea and air transportation.

Agriculture: GPS-directed combines and sensors on everything from sprinkler/irrigation systems to soil/fertilizer quality are connected via a mesh network to optimize production and quality (thanks Ray Van Houtte for your graduate work in the 1970’s!)

Military: Sensor systems are being used to improve operations from logistics to the battlespace. By tracking the details of every item, the supply chain can be dynamic and more easily optimized. Sensors on drones and robots – air, land and sea – communicate to human operators, analysts and soldiers in the field to improve situational awareness and tactics. There’s even an Android app that leverages M2M communication to a scope to enable a sniper rifle to hit the target every time, regardless of the shooter’s expertise.

Last year, there were over 10 billion connected devices, and estimates predict this number to climb to anywhere from 30 to 50 billion by 2020. In terms of sensors, HP Labs estimates that we’ll hit 1 trillion before too long. To leverage the data and information across a number of these areas, HP Labs is working on a project called CeNSE (Central Nervous System for the Earth)

CeNSE intends to deploy billions of nanoscale sensors that detect and communicate information across all five human senses. The goal is to better understand our world in order to improve resource management and predict dangers to safety and security in the physical world.

hpinternetofthings

With these burgeoning capabilities, there needs to be some focus on cyber security. In my previous blogs, I wrote about continuous monitoring. In today’s current environments, attempts to continuously monitor enterprise security are challenged to track their current assets, which for large organizations number in the hundreds of thousands. The IoT will multiply those assets by a million or more. Today those assets are built on a variety of platforms and operating systems; the software is rarely patched and their communications are not secured. We’ve already seen examples of exploits of these systems – automobile telematics, pacemakers, smart TVs, and more. Science fiction depicts the worst of these scenarios in movies like “Terminator” or “The Matrix”, with machines taking over the world. In the latest of these, Ray Kurzweil’s idea of the singularity moves to the dark side, with a human intelligence taking control of the IoT in “Transcendence”

Things aren’t necessarily so dire. The need to embed security in the IoT, from sensors to mobile apps to back-end infrastructure, is recognized and there are a number of efforts working to address the issue.

In private industry, there are companies using their expertise in cybersecurity to provide solutions in this space – QNX, acquired by Blackberry, and Mocana. QNX is a mature Unix operating system that over the years has built the most secure real-time operating system (RTOS) for embedded systems, Neutrino. It’s being used in automobile systems, home appliances, and to secure M2M communications.

Mocana is working on a new type of product code called AtoM (App-to-Machine) that will allow different users to manage and control devices securely, depending on their authority. In addition, they have built a Device Security Framework that provides end-to-end security for any device, based on US Government standards and regulations

On the open source side, there is an effort to build common communication platforms and interfaces for the IoT called AllJoyn that simplifies device information and configuration, onboarding, notification, control, and audio streaming.

Similarly, the AllSeen Alliance expands AllJoyn’s framework to multiple manufacturers and communication fabrics.

By enabling the integration of the variety of devices to communicate and connect, these initiatives will provide a common framework to secure and monitor the IoT. It’s something we have to build in to the IoT ecosystem now. If we wait, we’ll be playing catch-up, just like we are in Internet security – but at a much larger scale. Of course, with billions and trillions of devices and sensors, the accumulation of this information leads to a discussion of big data and big security data, which I will address next time.

Related Reading:

Battlespace Awareness and Unmanned Vehicles: Common Control Services

Exclusive: Apple in talks with potential suppliers of sensors for self-driving cars – sources

Continuous Monitoring – Part 2

I previously wrote about the various “functional areas” of continuous monitoring. According to the federal model, there are 15 functional areas comprising a comprehensive continuous monitoring solution, as shown in the graphic below:

Federal CM Model

These functional areas are grouped into the following categories:

  • Manage Assets
  • Manage Accounts
  • Manage Events
  • Security Lifecycle Management

Each category addresses a general area of vulnerability in an enterprise. The rest of this post will describe each category, the complexities involved in integration, and the difficulties in making sense of the information. “Making sense” means a number of things here – understanding and remediating vulnerabilities, detecting and preventing threats, estimating risk to the business or mission, ensuring continuity of operations and disaster recovery, and enforcing compliance to policies and standards.

The process of Managing Assets includes tracking all hardware and software products (PCs, servers, network devices, storage, applications, mobile devices, etc.) in your enterprise, and checking for secure configuration and for known/existing vulnerabilities. While some enterprises institute standard infrastructure components, it still takes a variety of products, sensors and data to obtain a near-real-time understanding of an organization’s security posture. Implementing an initial capability in my cybersecurity lab, we have integrated fourteen products and spent considerable time massaging data so that it conforms to NIST and DoD standards. This enables pertinent information to pass seamlessly across the infrastructure, and allows correlation and standardized reporting from a single dashboard. This will become more complex as we add more capabilities and more products. In addition, the new style of IT extends enterprise assets to include mobile devices and cloud resources – so our work to understand and manage the security within this area is just beginning.

The next area deals with Managing Accounts of both people and services. Typically, we think of account management as monitoring too many unsuccessful login attempts or making sure that we delete an account when someone leaves the organization. However, if you look at the subsections of the graphic, you’ll see that managing accounts involves additional characteristics – evaluating trust, managing credentials, and analyzing behavioral patterns. This applies not only to people but to services – system-to-system, server-to-server, domain-to-domain, process-to-process, and any other combination thereof. Think about the implications of recording and analyzing behavior, and you’ll realize that any solution will require big data. Security-related behavior is a somewhat nebulous concept, but if you drill down into the details, you can envision capturing information on location, performance characteristics, schedule, keywords, encryption algorithms, access patterns, unstructured text, and more. Accounts (whether a person, system, computer, or service) use assets and groups of assets. As such, the information gleaned from the relationships and interactions between accounts and assets provides another layer of intelligence to the continuous monitoring framework.

The Managing Events category is organized into preparation-for and response-to incidents. In the cybersecurity realm, incidents can cover anything from a spear phishing attack to denial of service to digital annihilation to critical infrastructure disruption to destruction of physical plant. That covers a wide range of methods to protect an organization’s assets – and any physical asset that is somehow connected to a network needs cyber protection. The first thing to do to manage events is to plan! Backup and recovery, continuity of operations, business continuity, disaster recovery – call it what you will, but a plan will help you to understand what needs protecting, how to protect it, and how to recover when those protections fail. This is the next layer of functionality – and complexity – in the continuous monitoring framework; the functions all build upon one another to provide a more secure and resilient enterprise. The security-related data and information aggregated across these layers provides the raw materials to understand your security posture and manage your risk.

The final set of functions deal with Security Lifecycle Management. The lifecycle helps to identify the security requirements of an organization, the associated plans and policies needed to satisfy those requirements, and the processes used to monitor and improve security operations. That improvement is based on the data collected and correlated across all the other functional areas described above. Depending on the size of an organization (dozens of assets to millions of assets) and the granularity of the data (firewall alerts to packet capture), the continuous monitoring framework leads to “big security data”. Timing is also very important. Whereas today we mostly hear about cybersecurity incidents after the fact (hours, days, months, and sometimes years later), continuous monitoring operates on real or near-real-time information. The benefits are three-fold: 1) intrusions, threats and vulnerabilities can be detected much more quickly, 2) you can perform continuous authorization on your systems; typically, after the initial Certification & Authorization approval, re-certification occurs either after a major change in the system or once every two or three years, and 3) big security data can lead to predictive analytics. That’s the holy grail of cybersecurity – the ability to accurately and consistently predict vulnerabilities, threats, and attacks to your enterprise, business, or mission.

There are other benefits to this approach, besides improving an organization’s security posture because let’s face it – all the things I’ve described look like they incur additional costs. Yet after some initial investment, depending on the size of your organization and the security products you already have in your infrastructure, there are actually cost savings. At the top of the list, continuous monitoring automates many of the manual processes you have today, reduces disruptions in your enterprise, and minimizes periodic accreditation costs. This is, however, a complex undertaking. We’ve learned a lot about what works and what doesn’t as we continue to integrate products and build continuous monitoring capabilities in our lab.  Feel free to contact me for best practices or if you have any other questions.

This post first appeared at George Romas’ HP blog.

Related Reading

Changing Government Requirement For Market Research to Continuous Market Assessment

Continuous Monitoring – Part 1

Continuous Monitoring – Part 1

Continuous monitoring has become a major focus area in cybersecurity. From customers to experts to standards bodies, a consensus is building that says continuous monitoring will vastly improve the security of our networks and critical infrastructure.

So what is it?!

We can provide a simple explanation by using a physical security example. Let’s suppose that you want to protect the perimeter of your building or compound, but you only have single-shot cameras to monitor who’s going in and out. You set them up to take photographs every 15 minutes, and you analyze them at the end of the day to look for breaches or irregularities. Of course, you miss a lot of activity!

To start implementing continuous monitoring in our example, you swap out the single-shot cameras for video cameras. Now you have a continuous view, in real time, of what’s occurring in and around your physical enterprise. You have all the information you need to secure your compound, but do you have the resources to monitor and analyze the information in real time?

That’s the same issue with monitoring the security of cyberspace, except the amount of information you collected can be significantly greater. A typical enterprise can collect logs and events from firewalls, routers, servers, PCs, and more.  You can also include physical security data – video, badge machines, motion detectors, etc. In addition, you have to know, and continually update, your asset inventory – both hardware and software. Based on that inventory, the next step is to evaluate the configuration of each asset to ensure it complies to secure configuration standards and guidelines. That inventory also needs to be continually scanned against known vulnerabilities and threats. Vulnerabilities can be based on the asset configuration or the network upon which it resides. As you can see, continuous monitoring is a complex process with a lot of moving parts – and that’s just deploying a basic capability! The eventual goals of developing this capability are to:

  • Put in place a better (defined, repeatable) process for detecting and remediating security issues
  • Create a way to score an organization’s security risk
  • Leverage the insight gained to institute a process of continual improvement towards a more secure enterprise

Regardless of the size of an enterprise, collecting and analyzing this information is daunting. You must first determine what sensors (products) you have and what data are you collecting. There are a wide variety of products in the market that perform the functions described above. HP has a set of products that can provide the core functionality: Enterprise Service Management suite (uCMDB and related products), ArcSight, EnterpriseView, TippingPoint, and Fortify/WebInspect. Other functions and capabilities are provided by third party products. The heavy lifting for continuous monitoring is in the integration of the products and information into a stable infrastructure that ensures the continuous flow of data and analysis that represents the overall security posture of an organization. The Cybersecurity Solutions Group (CSG) Engineering & Architecture team is currently performing the integration of the proposed DHS continuous monitoring solution in the CSG eLab.

In following blog posts, I’ll delve into the other functional areas that define a full continuous monitoring solution and how that aligns with a comprehensive enterprise security reference architecture.

 

This blog first appeared on George Romas’ HP blog.

 

More Content

Cyber War

SciFi

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!  

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]