CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Cyber War / Cyber Security

Cybersecurity Is Not Just About The Tech

Cybersecurity may well be the most important function in the modern world. Without it, nothing else can be trusted, in any sector of the economy.
hacking-detected-shutterstock_188832089Cyber Security is far more than just protecting data. Security is about protecting the functionality of IT. It involves confidentiality, availability and integrity of resources. This higher order approach to cyber security requires vision, leadership, and actions in dimensions of people, process and technology.
 We also need to draw your attention to the higher order concept of Cyber War. This is, unfortunately, something all technologists should be familiar with now. The most critical piece to read on that topic now is Now That You Are A Soldier In The Cyber War You Must Know Your Cognitive Biases followed by: Main Street Cybersecurity: Can Email Be Safe? and Time for Transformational Cybersecurity!

Stay In The Loop: Sign Up To The CTOvision Daily

When it it time to research the great providers of Cybersecurity Solutions, kick off  your search in the CTOvision Disruptive Technology Finder. Pay particular attention to the sections on Cybersecurity, CASB, Cyber Threat Intelligence, and VPN.
For help putting all this information into context for your business, consider tapping into Crucial Point's CTO-as-a-Service or Technology Due Diligence offerings, both are ways to quickly leverage the technical talents of experienced enterprise technology professionals.

Recorded Future Provides Awareness Into Issue of Government Credentials On The Open Web

RF-desktopRecorded Future provides real time threat intelligence to cyber defenders as well as business executives seeking insights to inform decisions. They leverage a patented Web Intelligence Engine over with billions of indexed facts (and more added daily) to analyze the open web to provide insights.

One category of the many sites they ingest is paste sites. These sites are web applications designed to allow users to store and share plain text. They are regularly used to hold and share small working documents by programmers/developers/systems administrators as well as academics and students. In practice, paste sites are also used as a dumping ground for stolen credentials. By applying algorithms over paste sites as well as over 650,000 other sources on the web, Recorded Future can provide enterprises with early warning that credentials have been compromised.

In a report titled “Government Credentials on the Open Web” Recorded Future provides insights and analysis showing 47 US government agencies across 89 unique domains have credentials leaked and made available to potential adversaries. Analysis and additional reporting by the government indicates that many of these agencies do not require multi-factor authentication, meaning lost credentials are a particularly risky threat in those cases.

We downloaded and reviewed the report and then sought to replicate the analysis and learn more by direct use of the Recorded Future application.

We began our evaluation by doing very simple queries of all paste type sites based on government email domains (for example, opm.gov). Starting with simple searches was a great way to generate foundational context. Immediately the visualizations of Recorded Future provided not just results on opm.gov domains but context around related data in the records. For example, a dump to paste sites from Dec 2013 which held opm.gov credentials also held credentials for 8 additional federal entities plus many of their key contractors and Recorded Future summarized the significance of that visually. It also provides a link to the data that was in the paste.

When miscreants steal or break passwords and paste them online it is an immediate threat and with this tool we can see it happening in very plain ways. We can also see the horrid state of user passwords.  Here are a few that stood out:  monkey, Marlene, brianna, turtles, dallaskid, redskins, buffy123, turkey.  These are all horrible passwords!

I also conducted analysis around other domains, including organizations where I have worked in the past and those of many friends and associates. In almost every case there was information that would be of some use to adversaries who might use the information in phishing attacks and in some cases there was clear indication that passwords had been compromised.

Any organization that has leaked credentials is at increased risk, so using this method is a great way to inform defenders of the nature of threats and to take action to mitigate threats.

This same method can be used to look for indications of other types of leaked information, including supplier lists, contract data, customer lists, intellectual property, business strategies and other information meant to be protected. Which leads to the bottom line conclusion: Organizations should use the automation of Recorded Future to enhance situational awareness and drive continued action to improve security and reduce risks.

For more see: “Government Credentials on the Open Web

Related Posts:

The Use of Recorded Future for Cyber Security Professionals(Opens in a new browser tab)

An Introduction to Recorded Future: An ability to leverage the predictive power of the web(Opens in a new browser tab)

The Insider Threat Worst-Case Scenario(Opens in a new browser tab)

FBI Provides An Update On #SonyHack Investigation Including Some Tech Details On Attribution

 

Airbus confirms software errors/configuration brought down A400M transport plane

airbus_a440mThe Register is reporting that badly configured software, installed incorrectly, is responsible for the crash of an Airbus A400M transport plane. Engine control software, installed wrong, was to blame.

The A400M crashed just after takeoff on its first real production test flight, 9 May near Seville’s San Pablo Airport, killing four.

For the initial report on the software  see: The Register.

For more background on the crash see: Wikipedia.

For more see:

Cybersecurity and IT Standards and Your Enterprise

As we have noted in the past, “The nice thing about standards is that you have so many to choose from” teaches Andrew S. Tanebaum in his classic text on Computer Networks.

This adage is especially true when it comes to cybersecurity. We encounter so many standards in the corporate world that in so many cases they become totally ineffective. This is an area requiring continued technical leadership or it will have little impact. But with technical leadership, good security standards can make a world of difference.

Our recommendation is to focus on your business needs first, but then select the right body of standards for your organization and your mission. Once you select your corporate approach to standards, remember you will get what you measure. Enforce your standards.

Here is a high level overview of key cybersecurity standards:

  • Critical Security Controls for Effective Cyber Defense (commonly called the Consensus Audit Guidelines or CAG): A publication of best practices in cyber defense consisting of 20 key actions, called security controls, that can reduce/mitigate most threats. These are the easiest to understand, easiest to implement and most effective approaches we know of.
  • ISO 27001 and 27002: Focused on helping organizations manage the security of assets including financial information, intellectual property and employee data. If you are a large organization already working ISO processes this may be a worthwhile approach.
  • NIST Cybersecurity Standards: NIST has been contributing to best practices and standards for decades. Many of their standards, like their Special Publications 800-12 (overview of controls), 800-14 (common principles), 800-26 (management advice), 800-37 (Risk Management Framework) and 800-53 (security and privacy controls) are aimed at the federal government but can be instructive to companies. Their work on a Cybersecurity Framework is aimed to help industry find more common approaches and a common language for cybersecurity. The benefits of this cybersecurity framework to companies seems to be in helping get everyone on a common wavelength, including suppliers when enforced via contractual mechanisms.
  • COBIT 5: Tools, resources and guidance by ISACA.org. COBIT stands for Control Objectives for Information and Related Technology. This framework helps organizations leverage best practices in multiple domains including audit, risk management, regulatory/compliance, government of IT.
  • RFC 2196: Published by the IETF, so as you can imagine this is focused on policies and procedures for sites that have systems on the Internet (which means, by the way, all systems these days).  Written long ago but still so very valid.
  • ISA/IEC-62443/ISA-99: The International Society of Automation (ISA) Security Compliance Institute functions within ISA’s Automation Standards Compliance Institute (ASCI) to provide professional management of this body of standards, which focus on industrial automation control systems.
  • IASME: a UK-based standard for information assurance at small-to-medium enterprises (SMEs) based on best practices. Accredited by the UK Government. Supported by certification body companies that can audit and smartly aligned with cybersecurity offerings in ways that may prove to be especially virtuous.

Standards Bodies

It is also good to know your standards bodies.  Not every standards body deals with topics of interest to IT focused CTOs. The list below is an extract from the Wikipedia article that only has those groups I think are working topics of interest to CTOs.

  • 3GPP – 3rd Generation Partnership Project – Website
  • 3GPP2 – 3rd Generation Partnership Project 2 – Website
  • AIIM – Association for Information and Image Management – Website
  • ANSI – American National Standards Institute
  • DMTF – Distributed Management Task Force. develops and maintains standards for systems management of IT environments in enterprises and the Internet.
  • Ecma International – Ecma International (previously called ECMA). Computer standards with a business-like approach.
  • GS1 – Global supply chain standards (identification numbers, barcodes, electronic commerce transactions, RFID) – Website
  • IBTA – Infiniband Trade Association
  • IEEE – Institute of Electrical and Electronics Engineers – Website
  • IETF – Internet Engineering Task Force – Website
  • ISO – International Organization for Standardization – Website
  • ITU – The International Telecommunication Union – Website
    • ITU-R – ITU Radiocommunications Sector (formerly known as CCIR)
    • ITU-T – ITU Telecommunications Sector (formerly known as CCITT)
    • ITU-D – ITU Telecom Development (formerly known as BDT)
  • Liberty Alliance – Liberty Alliance – Website
  • Media Grid – Media Grid Standards Organization – Website
  • OASIS – Organization for the Advancement of Structured Information Standards – Website
  • OGC – Open Geospatial Consortium – Website
  • OMA – Open Mobile Alliance – Website
  • OGF – Open Grid Forum (merger of Global Grid Forum (GGF) and Enterprise Grid Alliance (EGA)) – Website
  • TM Forum – Telemanagement Forum – TMF Website
  • W3C – World Wide Web Consortium – Website
  • WSA – Website Standards Association Website

Government Privacy Standards

  • GDPR: The most famous of the government compliance standards.
  • HIPAA: Focused on patient data privacy.

A note about standards and meeting the compliance requirements of GLBA, SOX, HIPAA or PCI:

Staying in compliance with regulations and requirements of laws like GLBA, SOX, HIPAA or the important industry PCI guidance require constant technical leadership, and many of those requirements also come with specific technical guidance. However all give you a significant degree of leeway in how you meet the requirements. The standards we review above can help you address them. However, more important than standards are your management approach to cybersecurity. This is a favorite topic of ours and is squarely in the sweet spot of our risk mitigation work. We work with Fortune 1000 firms to evaluate management approaches and help meet the needs of compliance and at the same time improve cybersecurity support to business and mission needs. Contact Us for more information.

Special Standards for Federal Government Business Growth

The Three Key Concepts of FISMA, FIPS and FedRamp

FISMA – Federal Information Security Management Act – designed to increase security controls by creating auditable repeatable compliance processes. The reality? Has increased security processes, provides clear benchmarks, but creates mountains of extra work that many believe actually prevent IT professionals from doing their job.

FIPS – Federal Information Processing Standards – define key aspects of how information is used and disseminated government wide. Key standards are 140-2 (security requirements for cryptographic modules), 200 (minimum security requirements for federal information and information systems) and 201-1 (personal identity verification for federal employees and contractors). All the FIPS standards have importance, yet these three are most frequently encountered.

  • FIPS 140-2 is most often referenced in terms of mobile. It defines the encryption standards necessary for any device that will connect with systems such as e-mail. It also defines the encryption necessary to protect personally identifiable information (PII) that many agencies have in abundance.
  • FIPS 200 is plain and simple the federal requirements necessary for information systems. This defines security standards and more.
  • FIPS 201-1 defines how personal identity verification (PIV) systems should function (and who needs them). PIV systems are tethered to Public Key Infrastructure (PKI) encryption and can really provide enhanced security capabilities.

FedRamp – The Federal Risk and Authorization Management Program is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach uses a “do once, use many times” framework that has goals of saving cost, time and staff for government organizations making security assessments. Information on FedRamp is provided at the CIO.gov website.

 

Related Reading:

Technological Dimensions of Cyber Defense

ITIL for CTOs

 

Complying With Health Insurance Portability and Accountability Act (HIPAA) Security Rules

Complying with HIPAA security and privacy rulesHIPAA was enacted in 1996, and by April 2005 security standards were required to be in place for most covered entities. In 2013 key portions of this law were updated. This post provides an overview of key elements we believe security and technology professionals (and most citizens) should be tracking.

The technology and security communities focus largely on Title II of HIPAA, which provides changes to the law designed to reduce health care fraud and abuse while protecting privacy and enhancing security.

This is the section of the law that regulates the use and disclosure of Protected Health Information (PHI).  PHI is any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. It includes any portion of a patient’s medical record or payment history.

In January 2013 HIPAA was updated to include changes meant to enhance security, including breach notifications, as part of the Health Information Technology for Economic and Clinical Health Act (HITECH).

With these modifications, the law now imposes data breach notification requirements for unauthorized uses and disclosures of unsecured PHI. These notification requirements are similar to many state data breach laws related to personally identifiable financial information. Breach notifications are to be made to patients, and if the breach impacts more than 500 patients then HHS must also be notified. This will result in HHS publicly posting the entities name on their website (see the current list here). Additionally, breaches involving more than 500 people in a state are required to notify prominent media in that state (normally done via press release).

These rules apply to any entity with patient information. Entities are generally discussed in two categories:

  • Covered Entities (CE) are any providers of treatment, payment or operations in healthcare.
  • Business Associates (BA) are any entities that have access to patient information, which can include subcontractors or other partners.

This breakout into two categories is important since the rules require covered entities to help enforce these standards with their business partners/associates. This must be enforced contractually.

Now to quickly review things you already assume are in the rules: The regulations are that PHI will be protected and guidance is given that there will be physical safeguards (including limiting facility access control and also access to workstations), technical safeguards (including access control, authorization and encryption), auditing (including records on activity that can be used in forensics), appropriate policies, and security of data in transit.

As for how these goals are met, there is leeway. Entities are permitted to use any security measures that allow them to reasonably and appropriately implement safeguards. Savvy CIOs in the healthcare domain are usually very familiar with community best practices and standards that apply here.

Complying with HIPAA is almost always an exercise in learning the terms and requirements of the law, knowing the business process of the entity processing information, and applying smart guidelines like the community-built “Critical Security Controls” collaboratively maintained by the Center for Internet Security (these are the controls previously known as the SANS Top 20).

Related Reading:

DoD Contractors: Complying with new DFARS regulations is easier with external help

Influential National Association of Insurance Commissioners (NAIC) Moves On Cyber

naicCybersecurity practitioners and policymakers have long been discussing the potential positive benefits of smart insurance policy and standards to reduce risk. Of the many actions and activities we see in the insurance world today, the news of NAIC involvement is seen as particularly interesting.

What is the NAIC?

The National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories. Through the NAIC, state insurance regulators establish standards and best practices, conduct peer review, and coordinate their regulatory oversight. NAIC members form the national system of state-based insurance regulation in the U.S.

What have they announced?

NAIC has coordinated two drafts which will provide comprehensive policy for oversight of insurance regarding cybersecurity:

The first is a draft of Principles for Effective Cybersecurity Insurance Regulatory Guidance, developed by the Cybersecurity (EX) Task Force. This document will help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. It also outlines the process for working with the insurance industry to identify risks and offer practical solutions.

The second draft document: the Annual Statement Supplement for Cybersecurity policies, comes from the NAIC’s Property and Casualty Insurance (C) Committee.

Here are the 18 draft principles from this first document:

NAIC’s Principles for Effective Cybersecurity Insurance Regulatory Guidance

  • Principle 1. Insurance regulators have a significant role and responsibility regarding protecting consumers from cybersecurity risks.
  • Principle 2. Insurance regulators have a significant role and responsibility regarding the insurers’ efforts to protect sensitive customer health and financial information.
  • Principle 3. Insurance regulators have a significant role and responsibility in protecting the sensitive information housed in insurance departments and at the NAIC.
  • Principle 4. Insurance regulators recognize the value of collaboration in the development of regulatory guidance with insurers, insurance producers, consumers and the federal government with the goal of a consistent, coordinated national approach.
  • Principle 5. Compliance with cybersecurity regulatory guidance must be flexible, scalable, practical and consistent with the national efforts embodied in the National Institute of Standards and Technology (NIST) framework.
  • Principle 6. Regulatory guidance must consider the resources of the insurer or insurance producer.
  • Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed.
  • Principle 8. Insurance regulators should provide appropriate regulatory oversight, which includes but is not limited to, conducting risk-based, value-added financial examinations and/or market conduct examinations regarding cybersecurity.
  • Principle 9. Planning for crisis response for insurance regulators, insurers, and insurance producers is an essential component to an effective cybersecurity program.
  • Principle 10. The effective management of cybersecurity by third parties and service providers is essential for protection of consumer’s sensitive personal health and financial information.
  • Principle 11. Information sharing is important for risk management purposes; however, it must be limited to essential cybersecurity information and protect sensitive confidential information.
  • Principle 12. Cybersecurity risks should be included and addressed as part of an insurers and insurance producers Enterprise Risk Management processes.
  • Principle 13. High level information technology internal audit findings should be discussed at the insurers and insurance producers Board of Director meetings.
  • Principle 14. It is essential for insurers and insurance producers to join Financial Services Information Sharing and Analysis Center (FSISAC) to share information and stay informed about cyber and physical threat intelligence analysis and sharing.
  • Principle 15. Sensitive data collected and stored and transferred inside or outside of an insurers or insurance producers network should be encrypted.
  • Principle 16. Periodic and timely training for employees of insurers and insurance producers regarding cybersecurity issues is essential.
  • Principle 17. Enhanced solvency oversight is needed for insurers selling cyber insurance to businesses and families.
  • Principle 18. Additional data on the sale of cyber insurance products should be collected to assist insurance regulators with oversight of financial and market regulation.

Regarding  Principle 7. Effective cybersecurity guidance must be risk-based and threat-informed.  We most strongly endorse that point. Our Daily Threat Brief is now informing executives across most every sector of the economy and can provide a strong baseline on the threat to inform cyber security guidance. Subscribe for free at https://www.oodaloop.com 

For more information, visit www.naic.org.

For more see:

The Principles of Enterprise Technology

Top 10 CTO Principles

Marc Andreessen on the future of technology and implications for interactions between government and citizens

Thorn: Digital Defenders of Children

Don’t Buy A Samsung Smart TV Till You Understand The Threat To Your Business And Personal Information

wpid-Samsung-PN51D550-51-Inch-3D-Plasma-TVThe fine print offered by Samsung regarding their new Smart TV is something you need to dwell on.

Not only does the TV recognize your voice, but it will record your conversations even when you do not know you are being listened to. Additionally, this information will be used by Samsung. And, according to their fine print, may also be used by third-parties they decide to work with.

But, they say, don’t worry, they take our privacy very seriously.

This story was first broken by @ShaneHarris of The Daily Beast and then also reported on by @ChrisMatyszczyk of CNET. We all owe these writers a big debt of gratitude for bringing this to our attention.

The Samsung privacy note reads, in part: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”

We will continue to track the reporting on the topic.

Our recommendations:

  • For now you have to play it safe. The threat to your personal or business privacy is too great for you to have one of these devices anywhere. Do not order one.
  • If you have already ordered one, return it. Get something safer.
  • If you already ordered a Samsung smart TV and if returning it is not an option, disconnect it from the Internet.
  • If you are gutsy and a gambler, maybe order one of these for one of your competitors. Some of their conversations might end up at some Samsung third party vendor that gets compromised by anonymous (sorry, just poking fun at Samsung with this one, we actually don’t recommend anyone, even your competitors, use this).

Bottom line: make your own risk-based decision, but arm yourself with all the facts first, and till you have all the facts don’t get this device.

What I Took Away From The Operation Cleaver (#OpCleaver) report

If you track cyber security you have no doubt heard of the recently published report by Cylance titled Operation Cleaver. It has been extensively referenced in the press and has generated significant dialog among practitioners, pundits and policy wonks including on Twitter with the hashtag #OpCleaver. The report was so good and so well documented it resulted in the FBI taking the action of publishing special alerts warning infrastructure providers of possible Iranian cyber attacks. This was a very important report.

Here is a gist of the report from Cylance:

  • A new global cyber power has emerged; one that has already compromised some of the world’s most critical infrastructure. The Operation Cleaver report sheds light on the efforts of a coordinated and determined group working to undermine the security of at least 50 companies across 15 industries in 16 countries. Our report unveils the tactics, techniques and procedures used in what is still an ongoing campaign.
  • Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group successfully leveraged both publicly available and customized tools to attack and compromise targets around the globe, including military, oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, chemical, companies, and governments.
  • Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.

The report provides a sound-bite sized statement that “Iran is the new China.”  That is designed to make us think and I’m glad they wrote that. But as an intelligence professional I would like to add that the motivations of these actors appear to be different. China seems primarily motivated by espionage, with the strategic military potential of cyber attacks a secondary but also important consideration. These Iranian attacks appear to be more sinister, motivated by a desire to have a strategic weapon at their disposal. The importance of this nuance may only be relevant to policy makers seeking to deter these actors from their objectives. That too is something to put some thought into, since both are totally different collectives of totally different actors.

The report makes the point that in many ways attribution offers little real benefit to the day-to-day cyber defender. Cylance writes that this level of attribution can aid law enforcement. We agree with the latter point, of course, this can be of use to law enforcement. But would like that there is another school of thought regarding intelligence informing cyber defense. We believe this report can serve enterprises as yet another strategic intelligence input, which can be useful in helping organizations plan their defenses.

Overall, our assessment is that although the report is short, it is to the point, and very insightful. Our recommendations:

  • We most strongly recommend you read it in its entirety.  It will give you a much better feel for the quality of work by the team at Cylance and help you understand the nature of this threat better.
  • Please consider sharing the Cylance report. Cylance has documented a very important evolution of the cyber threat, one we believe all citizens, not just defenders, need to better understand. I believe we are all doing civilization a favor when we spread the word on good works like this, and hope you will consider sharing the Cylance Operation Cleaver report widely.

Download the report here: Operation Cleaver

Additional Reporting

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

The Cyber Threat Provides New Insights Into Bad Actors: Book updated with latest on threat actors and the tech ecosystem

NIST Issues Draft Guide To Cyber Threat Information Sharing

I love and respect NIST and I just want to come right out with that so you know where I am coming from. Now add on top of that the fact that they have just issued a draft document that discusses items at the intersection of three of my passions, Cyber Security, Technology and Intelligence, and you can see why I am so excited.  So, with my bias in mind, I report the following:

NIST has just produced a draft special publication that I believe is the best thing I have ever read from their organization. The document is SP 800-150, the Guide to Cyber Threat Information Sharing.

This is a draft released for public comment. Expect changes in the final version. But this is ready for your review right now. If you are a CIO, CISO, CTO or other enterprise IT professional you will learn lessons and gain insights into approaches that can help you enhance your ability to create, acquire, process, share and act on cyber threat intelligence. It is well worth reviewing now, even while it is in draft.

As a draft, comments are being solicited, and I already have a few minor ones I’ll be suggesting for NIST consideration. For example, I do not like the way they bestow credit upon one particular integrator who rushed out and trademarked a term that had been in use in the community for decades. I’m going to work to ensure that is put in a community-focused light. I am going to suggest a tiny bit more information on some key technical standards for information sharing. Although I love the reference to standards on the last page, I’m thinking a paragraph or two on OVAL, SCAP, STIX, TAXII and VERIS could be helpful to enterprise IT professionals.

But those are minor suggestions. Overall I found this to be a fantastic document that I believe can make a positive contribution to enterprise threat information sharing right now.

To read more see: NIST SP 800-150

More reading:

NIST report on IoT security raises awareness on risks of connected devices

CTOvision Guide To The Cybersecurity Technology Marketplace

 

 

More Content

Cyber War

SciFi

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]