CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

You are here: Home / Archives for Cyber War

Cyber War

hacking-detected-shutterstock_188832089The study of cyberwar is more important now than it has ever been. Over the last 20 years we have witnessed cyberwar evolve from an obtuse but prescient concept to a theoretical possibility to a world of constant cyber attacks to today, where all war has cyber components. All war today is cyber war, and all conflict is cyber conflict.

Sign Up To Receive The CTOvision Daily

Cyberwar is a state of conflict. It is related to the technological environment and to cybersecurity, but cyber conflict comprehends those and many other topics into a greater national security construct. Today our nation faces constant adversary action and conflict in cyberspace. Meeting the challenges this adversary action causes requires an understanding of what people and companies and governments can proactively do to bring the fight to adversaries. It also involves deep understanding of adversary tactics and capabilities so we can really understand The Cyber Threat.
We track the the history of cyber conflict, the cutting edge concept being implemented in government, the technological dimensions of cyber war, and, most importantly, the key actions you should take to help protect your personal and business information in cyber conflict. We do that by capturing the thoughts of national security experts and cyber warriors with direct experience in this very serious domain. Our thought leaders take positions, but provide you with the insights you need to evaluate whether or not you support those positions. For example, see: What If This Is The Most Important Thing The Government Can Do To Enhance Our Cybersecurity? where we advocate for the intelligence community to provide compelling insights on the cyber threat to the American people. We also encourage everyone to consider that: Now That You Are A Soldier In The Cyber War You Must Know Your Cognitive Biases For a primer on strategic topics associated with cyberwar see: Twelve Principles of DoD Cyber Conflict

OODA Produces A Traveling Executive’s Guide to Cybersecurity

We have written before about the importance of all of us recognizing that we are in a cyber conflict. The fact is that we are all targets. We all have to keep our wits about us. This includes tracking the cyber threat and best practices to mitigate the threat.

A period of significantly enhanced vulnerability is during travel. It is especially important to maintain best practices when on the go, including, of course, when traveling overseas.

The team at OODA have just produced a reference of best practices for reducing cyber risk while on the go, including both business travelers and those who just want to reduce their overall risk while on mobile devices. The recommendations are provided in tiers enabling easy tailoring based on your threat model.

  • Tier 1:  The minimum essential cybersecurity best practices that should be incorporated into every trip and an executives’ daily cyber hygiene.
  • Tier 2:  Additional protections that should be put in place for travel to some countries or by organizations that want to adopt a more robust security profile.
  • Tier 3:  Advanced security practices for travel to high risk countries or for highly targeted executives.

See the full report at: A Traveling Executive’s Guide to Cybersecurity

 

 

Gain Insights Into How Bad Guys Are Manipulating You via YouTube

This clip is the first in a series on social media algorithm manipulation and countermeasures. I’ve been tracking these topics somewhat, like most of you probably are. But still found this to be surprising and very interesting.

There are serious threats to business here, most of this is being done for financial reasons.

But imagine how the really well resourced adversaries are leveraging advanced technology to manipulate. Those guys who decide to do this are much more sophisticated in their methods.

But watching this will give you insights into the realm of the possible and will keep you more aware of things that are getting real views on YouTube and help you understand ways you will very likely be tricked.

For more see:

100 Percent Of Small Businesses Go Out Of Business One Nanosecond After the Simplest of Cyberattacks

I just read another scary marketing email. This one from one of my favorite firms. I love Cisco. They have done a great deal for America and our way of life and I really appreciate them. They are creators and innovators and I am honored to have interacted with Cisco through the years.

But their marketing team has fallen for the trap so many other marketing firms have. They are spreading mis-truths, probably because they want to believe that what they heard somewhere is true.

A recent note from them tells me that:

“In fact, more than four out of 10 cyberattacks target small businesses, and 60% go out of business within six months of an attack. “

Wow, this is a pretty serious fact.

Sounds an awful lot like a fact many of us in the community recognized as bullshit when we first heard it back in 2011. Can you imagine if 60% of businesses that had a cyber attack went out of business? Given that we are all pretty much under attack all the time, we would not have any businesses left would we?

So I went to Google and did a bit of searching to see if I could back up Cisco’s claim.

Best overview I saw spelling out how specious their statement is is at a BankInfoSecurity article from May 2017. The statistic seems to have no basis in fact. But some people said it. That is all.

For marketing teams everywhere, try this one on:

100 percent of small businesses go out of business one nanosecond after the simplest of cyberattacks.

I happen to know that one is B.S. because I just made it up. But from now on whenever I see a marketer use that tired old made up statistic about 60% of businesses I am going to try correcting them with my new statistic and see if they will use my number instead of theirs. Or maybe it will cause them to think a bit more before spreading their own specious content.

OK enough poking fun at marketing departments around the world. I actually feel for them, they have a really hard job. They need to find ways to stand out in an environment where 1,000’s of firms are competing for the attention of every decision-maker in the enterprise. It is a tough job. I would just encourage all in the marketing department to stay grounded in reality by being sure to check facts, and, whenever possible, run your marketing copy by the business side of your organization to get their inputs.

There Are Ways To Improve The Security of Your Artificial Intelligence Solutions

Security of the data and algorithms and results of artificial intelligence takes new methods. At OODAloop.com Matt Devost provides a framework for improving the security and reducing the risk of problems from your AI deployment in a post titled:

Securing AI – Four Areas to Focus on Right Now

His approach: Build a strategy informed by four key components:

  1. Secure your AI infrastructure
  2. Secure the algorithms
  3. Security the training data
  4. ID and manage external risks and dependencies

His recommendations also underscore the importance of a strategy to drive results in each of these areas.

This premium OODAloop content was unlocked by Cooley LLP.

The Internet Has A New Problem: Repeating Random Numbers!

Digital Certificates are a foundational building block of the Internet. They are used to verify the identity of e-commerce sites, the authenticity of software and encrypt data. Not surprisingly, cyberattackers try to create fake Certificates or get the Private Keys for real ones to steal data or intercept communications. No one really worried about the Certificates themselves – until now. It seems the random numbers used to generate Certificates sometimes are the same.

To understand the problem it’s useful to take a 30 second tutorial on Digital Certificates. For those of you who might have managed to stay awake during math class you’ll remember that Asymmetric Cryptography utilizes 2 prime numbers to create a Public and Private Key for a Digital Certificate. The Public Key maps an input (that you want to keep secret) to a large number field while the Private Key reverses the transaction. The theory goes that since there’s an infinite set of prime numbers, there’s an infinite set of Public/Private key combinations. To make sure the prime numbers are different a Random Number Generator (RNG) is used. Sounds pretty secure. Infinite is a big number. What could go wrong?

Well the real world is a bit different than math class. It seems the random number generators (RNG) on computer devices really don’t generate an infinite set of primes but rather a bounded set that in turn generates a set of Public/Private Key combinations. This new analysis is a result of the dramatic cost reduction in high performance computing that now enables the simulation of a chip’s RNG function and the Certificates they generate.

From an Internet security perspective, the ability of a cyberattacker to know an organization’s Private Key has huge implications. Attackers can potentially impersonate web sites, intercept secure connections or decrypt any piece of data just by looking at the Public Key. Examples of this attack are not just seen in labs. In one case, for instance, on January 7 2019 the University of California Davis sent an advisory of all students visiting China that their “secure” What’sApp messages were being monitored.

For enterprises that rely on Digital Certificates for their security, which is nearly everyone, it’s important to deploy countermeasure to RNG-based Certificates attacks:

Upgrade Your RNG: Many PKI systems have the ability to connect to an external Random Number Generator or utilize an entropy pool to ensure randomness. If your HSM/Root CA has this capability, it is highly advisable you turn it on. Next you’ll want to purge your network of old Certificates.

Switch to a Virtual HSM: If your existing PKI can’t work with an external RNG or entropy pool then you might consider one of the many cloud-based and software-based HSM solutions. All of the newer software-based PKI solutions support external RNG or entropy inputs. If shopping around, also look for a solution that makes it easy to create and propagate new Certificates – it’ll make your life easier.

Isolate Mission Critical Apps: In addition to upgrading your Certificates another important countermeasure is isolating high value or mission critical applications from the Internet. Software Defined Perimeter (SDP) is an ideal countermeasure to Certificate attacks as no one except authorized users will even know about the application. SDP can also be used to continuously propagate new Certificates to user devices.

With RSA around the corner, security professionals have a great opportunity for FREE consulting. Ask Certificate and encryption vendors for their countermeasures to existing and emerging Certificate attacks. When visiting a cloud-based SaaS, ask them what countermeasures they have implemented to ensure their Certificates don’t get attacked. Be aware; be proactive as this threat is real.

Related Posts:

The Problem With PEAP

An Introduction to Risk Analysis

Connected Devices, Remote Security: Data Encryption and Security in the Cloud

Naturally Better Security: Leveraging the power of nature to enhance Internet security

 

What the New U.S. Intelligence Strategy Says About Cyber Threats

The United States intelligence strategy for 2019 has been released, covering seven specific themes.  Here’s how the United States Intelligence Community will deal with cyber threats:

“Despite growing awareness of cyber threats and improving cyber defenses, nearly all information, communication networks, and systems will be at risk for years to come. Our adversaries are becoming more adept at using cyberspace capabilities to threaten our interests and advance their own strategic and economic objectives. Cyber threats will pose an increasing risk to public health, safety, and prosperity as information technologies are integrated into critical infrastructure, vital national networks, and consumer devices. The IC must continue to grow its intelligence capabilities to meet these evolving cyber threats as a part of a comprehensive cyber posture positioning the Nation for strategic and tactical response.”

For more on the new strategy and to download a copy see: OODAloop.com

 

More Reading:

For more on these topics see the CTOvision Guide to National Security Technology and

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers:

Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not feeling the AI-vibe. Consider the following commercials.

Guy creates robot ‘child’ who wants to be a CPA. Alas the ‘RoboChild’ doesn’t have the emotional intelligence for a job at TurboTax. Humans win, but we are all nevertheless creeped out by the child’s laugh.

Alexa-like device talks to dudes. The poor bot can’t enjoy Pringles and she wants the two humans to know it. They shut her up by telling her to play “Funkytown.” Humans win (again), but they will go to bed aware that the bot is always listening.

Safe from technology. Home security firm SimpliSafe runs through the gamut of tech-enabled nightmares: drones, robots taking jobs, and too-smart-for-their-own good devices. So what is the solution? More technology, to guard the home. At least the devices emit a soft blue light.

I’m not sure we should read too much into this. These big businesses want to sell product and know technology is on our mind. In the cases of these three commercial’s they decided to make us laugh. I thought they were funny and hope you enjoy them too.

Here they are:

https://www.youtube.com/watch?v=JIRX3yWhgZI

https://www.youtube.com/watch?v=_rnrEQBieIQ

For what we really think about advanced technology see:

 

 

Announcing OODA: A Company Addressing Next Generation Security Challenges

Editor’s note: The below is from the press release for the launch of my new firm, OODA LLC. I’m very excited about this new venture and intend on making a positive difference in addressing several next generation security challenges. For more see: OODA.com

Industry Veterans Launch New Company to Address Next Generation Security Challenges

Security, intelligence, and technology industry experts Matt Devost and Bob Gourley have launched a new company to address current and emerging enterprise challenges.

OODA LLC will provide comprehensive consulting and advisory services including a highly specialized Artificial Intelligence (AI) and Machine Learning security practice.  As Devost notes “AI and Machine Learning are quickly becoming a universal technology, yet many enterprises are adopting these approaches without appropriate consideration for the security risks.”

“We’ll be addressing not only traditional security and technology issues, but also looking at the vulnerability and integrity of emerging technologies like Artificial Intelligence” added Gourley.

In addition to the AI security practice, OODA will offer comprehensive assessments using their EVALU8 methodology, Virtual CISO/CTO services, risk management consulting, and business support including market development and investment/acquisition due diligence.

Devost and Gourley have been collaborating for over twenty years and were co-founders of the highly successful FedCyber conference.  Bob Gourley is a former Naval Intelligence officer that later served as Chief Technology Officer (CTO) of the Defense Intelligence Agency and founder of the popular CTOvision.com web site.  Matt Devost is an established security professional and entrepreneur having been Founder of CEO of the Terrorism Research Center and the red teaming and incident response consultancy FusionX and OODAloop.com

Iconic businessman Scott McNealy, the former co-founder of Sun Microsystems and Chairman of WayIn, is an advisor to OODA. On their formation he commented that “OODA has assembled an unprecedented combination of expertise and has the experience required to help organizations navigate the fine line between risk and opportunity. Innovation today is moving at warp speed and CEOs who want to optimize opportunity will benefit from the experience and insights of OODA.”

About OODA LLC: The firm was named to capture the spirit of the successful international business strategy OODA, which stands for Observe – Orient – Decide – Act.  The OODA Loop is a process articulated by Air Force Colonel John Boyd to teach optimal air to air combat. Devost and Gourley have applied OODA concepts to cyber risk mitigation, opportunity assessment and intelligence operations for businesses operating in multiple sectors of the economy and are focusing on this approach in their consulting and advisory services.

 

For more on OODA see:

[wp_show_posts id=”108892″]

More Content

Cyber War

SciFi

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]