CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Cyber War / Cyber Security

Cybersecurity Is Not Just About The Tech

Cybersecurity may well be the most important function in the modern world. Without it, nothing else can be trusted, in any sector of the economy.
hacking-detected-shutterstock_188832089Cyber Security is far more than just protecting data. Security is about protecting the functionality of IT. It involves confidentiality, availability and integrity of resources. This higher order approach to cyber security requires vision, leadership, and actions in dimensions of people, process and technology.
 We also need to draw your attention to the higher order concept of Cyber War. This is, unfortunately, something all technologists should be familiar with now. The most critical piece to read on that topic now is Now That You Are A Soldier In The Cyber War You Must Know Your Cognitive Biases followed by: Main Street Cybersecurity: Can Email Be Safe? and Time for Transformational Cybersecurity!

Stay In The Loop: Sign Up To The CTOvision Daily

When it it time to research the great providers of Cybersecurity Solutions, kick off  your search in the CTOvision Disruptive Technology Finder. Pay particular attention to the sections on Cybersecurity, CASB, Cyber Threat Intelligence, and VPN.

For help putting all this information into context for your business, consider tapping into Crucial Point's CTO-as-a-Service or Technology Due Diligence offerings, both are ways to quickly leverage the technical talents of experienced enterprise technology professionals.

DHS Opens the National Cybersecurity and Communications Integration Center (NCCIC)

If you are an enterprise CTO I’m hoping you already have the site of the US Computer Emergency Readiness Team (CERT) bookmarked.  It it has been a while since you have seen their site please check it out at http://www.us-cert.gov They provide important resources for any enterprise technologist, not just security professionals.

Organizationally they have a team of strong cyber players that have been honing their craft for years.  The US CERT serves a significant mission– they are there to strengthen the defense of the Federal government’s networks, especially those in the civil executive branch (the “.gov” of the Internet).  In executing that mission they help many others and are a critically important part of our nation’s defensive fabric.   The US CERT is run by the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS).

Today the US CERT opened its new operations center.  Their facility is called the National Cybersecurity and Communications Integration Center (NCCIC).  It is a “Unified Operations Center” designed to enable the co-location of other key components of the NCSD and DHS, including the National Coordinating Center for Telecommunications (NCC), the National Cyber Security Center (NCSC), and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).  This new operations center also hosts liaison officers from many other related watch centers which will make it a key information clearing house and a critically important capability for the nation.

I was allowed into the combined watch floor today and was excited to see the tremendous visualizations analysts and watchstanders will be able to leverage as they seek enhanced situational awareness.   Even though all the organizations in this room have different “chains of command” they all share common needs for fast, accurate information and their ability to dialog over visualizations will enhance their ability to jointly figure out what is going on.

On a personal note:  I am very optimistic about this new unified operations center and its ability to make a positive impact– and– although I have seen and believe in the technology they are using, the real reason I’m so positive is the quality of leaders involved.  I’m upbeat because of the folks I know who are driving the right actions.   They include Phil Reitinger , a savvy professional and executive with understanding of the law and technology and mission, RADM Mike Brown, one of of our nation’s greatest military leaders and a key driver of our nation’s cyber posture for over a decade, and a past associate from DIA who had been responsible for ensuring the DoD’s JWICS network survived and thrived and continually enhanced support to the DoD mission.   These folks have many hard tasks ahead and their work is by no means complete but they are some of the best the nation has and deserve our collective support.

Related Reading

 

Flash of the obvious: you are responsible for protecting your data

I really feel sorry for the modern consumer.  None of us, even those of us with computer science degrees, can really assess the security of our computer systems (at least not with any precision).  We can study historical trends and glean lessons on which operating systems are more secure and we can educate ourselves on best practices and optimal configurations, but how can we really know what is secure and what is not?

This has been a problem for as long as consumers have had computers.  It was highlighted again when stories of a data eating glitch in Apple’s latest OS surfaced. According to multiple sites (including The Register),  when some Apple OS users logged into a guest account then back to their user account on their system, all their data was deleted.  Good security protects data and keeps it available. Good security does not delete the data you want access to!

For the last 40 years (since CompuServe in 1969) there have been clear trends towards consumers keeping more data in the cloud.  That trend has been accelerating of late and multiple angles have been studied and dissected here.  Security has always been an issue with consumer data in the cloud, but now it is becoming even more critical.  Many consumers are hosting large parts of their personal, private and sensitive information in cloud based services.  Some are using the cloud for all their finances.   In the mobile world we live in many are leveraging cloud services as part of their handheld/cell solution.  One of the most famous cases of data loss in this area is the news this week of Microsoft’s destruction of consumer data associated with the T-Mobile sidekick.  The cloud can let you down in many other ways.  Poorly configured cloud settings can contribute to social engineering hacks against your data, and there is a wide range of other unknowns that consumers face when deciding how much to host in the cloud.

So lets do a quick net assessment: If you keep your data at home, you can choose an operating system which has a high likelihood of being attacked by malicious code which can compromise your data’s confidentiality, or you can chose an operating system that has been found to totally destroy your data, or you can put it in the cloud where it can be destroyed or leaked by someone you don’t know.

What is a consumer to do?

In my opinion, the first thing a consumer should do is to understand who is responsible for protecting data.  I’m talking to you here.  You are responsible for protecting your data.

If you decide to trust someone else with protecting your data you are taking a risk.  So try to understand that risk and mitigate it.

For example, I use several OS’s at home, including the Mac OS.  All data from my home computers is automatically backed up into encrypted archives.  That reduces risk a bit.

I am also a big cloud user, both for my business and for some personal uses.  But still I’m careful about what data goes into the cloud and how it is protected.  And a key segment of my data in the cloud is backed up locally.  I get cloud benefits and a little more protection.

One thing I don’t do enough is print out important info like my contacts.  After the lessons of the last few weeks I’ll be doing that more.

One thing I’ve never done is use the cloud for sensitive financial data.  I’m just not ready to accept that risk.

On all OSs in my house I work to keep them patched.  And I ensure the anti-virus is up to date.  This is not perfect protection (there is no such thing), but it helps reduce risk.

In choosing cloud providers, I think through the company’s approach to security and their reputation in the area.  We all have to hold these big companies more accountable. And it is just too risky to do business with companies that don’t respect consumers the way we should be respected.

Those and many other steps flow from an understanding that it is my responsibility to protect my data.

I hope those actions are similar to your approach.  Let me know please if you think I should have highlighted something else relevant to consumer data protection.

Related Reading

Bug Bounty Programs : Encourage Responsible Disclosure

Beyond the IoT Buzz Is A New Horizon of Embedded Intelligence, Information Flows and Seriously Smart Apps

Cloud Computing vs. SOA: Look for a cross-over in hype

Cloud Computing is one of the many things enterprise CIOs, CTOs and other engineers will master in delivering capability.  I believe in the power of new Cloud Computing technologies and concepts and think we should all continue our focus there.

I have said, and still say, the same thing about design approaches like Service Oriented Architecture (SOA).  The constructs, methods and models of SOA are good practices that result in good designs for enterprises.   It is smart to separate data from application logic and smart to enable agility and mashups the way good SOA design does.

But a key problem with SOA was the hype associated with it.  Everyone started using the term the way they wanted to.  And every IT vendor came out with their definition of SOA.  And every system integrator tried to sell us buckets of their SOA.  And every trade journal ran SOA articles.  And too many CTOs, myself included, said too much to our customer/users about the promise of SOA and that contributed to our users increasing their expectations over what SOA would deliver.   The result of all of that, the over hype on SOA sometimes caused distractions.  The cure: CTOs focused on what SOA meant for their specific organizations.  It is still a great construct and by focus it is delivering value.

There are now clear indications that the hype around Cloud Computing is going to ramp way up.  In fact, a quick search on Google Trends indicates searches on the topic of Cloud Computing, while still lower than searches on the topic of SOA, are rapidly gaining while searches on SOA are declining.  The two are headed for a cross-over.

The graph below reflects this (a live version of this graph is at Google Trends).

Here are my views of the “So What” of this information.  For the Chief Technology Officer or Chief Information Officer or other enterprise technologist who must really deliver, I’d recommend you brace yourself for a flood of hype.  You have probably already seen indications of this.  But if trends continue the amount of views you (and your bosses) will be asked to consider and deal with will accelerate dramatically.  Your defense against this will be the strength of your own position in Cloud Computing.  Therefore, I strongly recommend you personally think through what Cloud Computing means to your enterprise.  Also, think through your definition of cloud computing.  Hopefully the NIST definition will suit your use, since the more people who form up on that the better.

And you may want to think through which Cloud Computing related events you will attend and speak at.

And you may want to think through you who personally believe the strongest IT players are in the Cloud Computing world.  I have my list.  Let me know if you want to compare notes sometime.

Any thoughts?

Related Reading

Technology and Leadership Lessons From Admiral Archie Clemins

SCADA and ME: A Book For Children and Management

CTOvision Named A Top 20 AI and ML Blog

Game Change: Three Reasons Why #SonyHack Will Change Security

CIA IT Leaders Are World Class IT Leaders

Cloud Computing vs. SOA: Look for a cross-over in hype

Cyberpower and National Security

Last week at the InfowarCon my friend Dan Kuehl handed me a copy of Cyberpower and National Security.  Cyberwar has been a topic Dan has been exploring in some detail for quite a while.  I first met Dan in 1996 when I was a student at the USMC Command and Staff College, and at that time Dan was already writing and exploring concepts related to cyber power and information warfare.  His deep focus and insights into this still emerging mission area continues today.

About the book, it is big. Not just in pages (it weighs in at 642 pages). It is big in info. Chapters are written by some of the greatest thinkers of the Cyber War mission area. Folks like Dan Kuehl, Edward Skoudis, Greg Rattray, Martin Libicki, Irving Lachow, Tim Thomas, Tom Wingfield and of course the editors Franklin Kramer, Stuart Starr and Larry Wentz. These and the other contributors are all well respected thought leaders and each provide insights I believe will be of use to today’s strategic planners.

As for the content, it starts with a great foundation and overview of what is meant by Cyberspace (building on Dan Kuehl’s well articulated definition) and also spells out key issues that policy makers and national security strategists must tackle. It then analyzes and explores changes in cyberspace including projections into the near future, and ends with an analysis of the impact of all these changes- including the considerations we must think through in our strategic deliberations.

I now consider this book a critical foundational work that should be studied by anyone who seeks to dialog on modern national security issues.  This book does for the strategic domain what the Common Audit Guidelines did for the operational cyber domain.

I know NDU will continue to examine these topics, and look forward to more material from them.  I also look forward to continuing to engage with others in academia via the Cyber Conflict Studies Association, a group that includes many of the authors of this Cyberpower and National Security work.

More CTOvision Reporting of Interest:

For more on these topics see the CTOvision Guide to National Security Technology and

Widespread Cyber Espionage: More evidence and what to do about it

This week the New York Times and CNET ran a story by John Markoff titled “Vast Spy System Loots Computers in 103 Countries”

It reads in part:

“A vast electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama, Canadian researchers have concluded. In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved.

The researchers, who are based at the Munk Center for International Studies at the University of Toronto, had been asked by the office of the Dalai Lama, the exiled Tibetan leader whom China regularly denounces, to examine its computers for signs of malicious software, or malware.

Their sleuthing opened a window into a broader operation that, in less than two years, has infiltrated at least 1,295 computers in 103 countries, including many belonging to embassies, foreign ministries and other government offices, as well as the Dalai Lama’s Tibetan exile centers in India, Brussels, London, and New York.”

The full report is available here:  “Tracking GhostNet: Investigating a Cyber Espionage Network.

The report itself is well worth a read by any technologist and by most technology users.  We should all know what we are up against.

Another technical view of the research is available at “Snooping Dragon

I’d also like to offer my opinion that many or even most of the attack vectors can be reduced or mitigated by smart technologists.  And other attack vectors can be reduced or mitigated by smart users trained to recognize when they are being fooled by social networking attacks.

For more on how to reduce threat vectors see:

This only touches on the technological paths into your systems, but it is a great start.

I would also like to offer the opinion that attack paths can be reduced by the smart use of open source technologies.  Open source technologies have fewer vulnerabilities.  They must also be smartly managed and must be well patched (although some few vulnerabilities are detected, when they are detected they need to be addressed right away).  But, the use of foundational secure systems like SE Linux and Trusted Open Solaris is a smart way to reduce your attack surface.

 

For more on these topics see the CTOvision Guide to National Security Technology and

Responding Strategically to Cyber Attacks

The last 12 months has seen a significant amount of progress in our nation’s awareness of cyber threats and in our collective actions to address the security of our IT systems.  However, a huge amount of work remains to be done.

In a cyber context, the situation is a little like the one Winston Churchill described when he said: “This is not the end.  It is not even the beginning of the end.  But it is, perhaps, the end of the beginning.” We in the cyber world have taken some serious blows, and we are shoring up our defenses.  But there is a long long way to go before our objectives are met.

With this post I want to provide a snapshot of some of the progress of late.

1) CNCI: The Comprehensive National Cybersecurity Initiative provided a kickstart to many elements of the federal enterprise and facilitated coordination action by multiple agencies.  It was also an important evolution for Congress.  The changes to the federal budget and the intentions of agencies was very positive.  It is my opinion that the CNCI made a lasting positive difference in reducing unauthorized access into the federal enterprise and in enhancing resiliency of our systems. For more info see:

2) The CSIS report and related actions/studies: This 8 Dec 2008 report is the result of hard work and collective study by some of the best brains in the cyber security world.  Commissioners on the study are a who’s-who of security and the quality of this report is a direct reflection of this fact.  The report offers recommendations on multiple hard areas and should be referenced by anyone making decisions in the IT arena.  A recent related development is the posting by SANS of the Common Audit Guidelines.  This is a fantastic step towards providing guidelines to enhancing security and functionality. For more info see:

3) GAO Reports: Never in my life have I been so pleased with the quality of GAO reporting.  They have been doing fantastic work pulling together information on a wide range of technology issues.  Key among them is reporting on cyber security.  For example, the 10 March 2009 report on “National Cybersecurity Strategy.” This report captures a statement by David Powner, Director of Information Technology Management Issues for GAO. The report recommends twelve key strategy improvements needed now, most of which are in total consonance with the CSIS report.

4) The Obama Administration Review: Being true to promises during the campaign, the Obama administration began a review of cyber in a way that is open and is proactively seeking out inputs from all quarters.   Great work in liaison with industry, academia and internal in the federal government is underway.   This type of liaison has immediate benefit in building bridges with large teams of people who need to work well together to engineer enduring solutions, so it has already delivered benefits. For more info see:

The four topics above are all things that are translating to real action to improve the security posture of both the federal IT enterprise and the critical infrastructures of the nation.  In my opinion, great progress is being made.

But now is not the time to rest on our laurels.  The battle has just begun.

“This is not the end.  It is not even the beginning of the end.  But it is, perhaps, the end of the beginning.”

White House Conducting Review of Cyber

Followers of the cyber initiative and its related work have been strongly encouraged by the kickoff of a 60 day study tasked by the White House and led by Melissa Hathaway.  Melissa was named by President Obama to conduct this review.   As has been reported here in previous posts Melissa is one of the most effective, efficient senior executives in public service, and I have no doubt she will execute this task in a way that benefits the nation.

As an update, the White House blog posted an entry on this study today.  It reads as follows:

White House Blog
Monday, March 2nd, 2009 at 11:14 am
Cyber review underway

John Brennan, Assistant to the President for Homeland Security and Counterterrorism, passed along this update about the ongoing review of our nation’s communications and information infrastructure.

In response to President Obama’s direction, the National Security Council and Homeland Security Council are presently conducting a 60-day review of the plans, programs, and activities underway throughout the government that address our communications and information infrastructure (i.e., cyberspace). The purpose of the review is to develop a strategic framework to ensure that our initiatives in this area are appropriately integrated, resourced and coordinated both within the Executive Branch and with Congress and the private sector.

Our nation’s security and economic prosperity depend on the security, stability, and integrity of communications and information infrastructure that are largely privately-owned and globally-operated. Safeguarding these important interests will require balanced decision making that integrates and harmonizes our national and economic security objectives with enduring respect for the rule of law. Guided by this principle, the review will build upon existing policies and structures to formulate a new vision for a national public-private partnership and an action plan to:
enhance economic prosperity and facilitate market leadership for the U.S. information and communications industry; deter, prevent, detect, defend against, respond to, and remediate disruptions and damage to U.S. communications and information infrastructure; ensure U.S. capabilities to operate in cyberspace in support of national goals; and safeguard the privacy rights and civil liberties of our citizens.

The review will be completed by the end of April 2009. At that time, the review team will present its recommendations to the President regarding an optimal White House organizational construct to address issues related to U.S. and global information and communications infrastructure and capabilities. The recommendations also will include an action plan on identifying and prioritizing further work in this area.

Learn more about the administration’s Homeland Security priorities.

UNQUOTE

The fact of this White House blog entry is a huge signal that something has changed.  Openness on this topic was unthinkable just months ago.  We have also seen more direct work with industry groups on cyber, another positive step.

There is a great deal of work to be done in a very short amount of time.  What ever the result of this review is I’m sure it will be first rate and I’m ready to support it fully.  It is not often that I endorse something before it is done, but in this case I think it is the right thing to do.   There are too many bad things happening because of poor security, and too much of the economy is hurting because of it.

Enhancing Security and Functionality At The Same Time

Have you ever been pulled into the false debate over how much IT spending should be spent on security? Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By some other ways of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   We recommend you try whenever possible to use the term security and functionality in the same context just to underscore that point.

For example, the goal we continually push regarding security in the federal space is not just one dealing with security.  We put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase.

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
  4. Secure Configurations of Network Devices Such as Firewalls and Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering
  2. Red Team Exercises
  3. Incident Response Capability
  4. Data Recovery Capability
  5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance?  We should most strongly endorse it. Appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said Alan Paller, director of research at the SANS Institute.  “The team that was  brought together represents the nation’s most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

Looking for other research topics? Browse our reports directory here. Would you like to task us with research on these or other topics? As A CTOlabs Pro subscriber you may use our “Ask The CTO” section and let us know what we can do for you.

 

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]