Hack The Planet

Because if you don't, who will?

Monday, May 14, 2018

Why find the Unknown Unknowns…

Humans like to solve problems that are readily known or are easy, and ignore ones that take some digging or are difficult. We are lazy animals, but that is a good thing. System Administrators create scripts to eliminate repetitive tasks. This is good. We should work smarter not harder. The issue is when we disregard tasks, or threats because they take time and research. We in Information Security often fix the “known knowns” and hope that we aren’t impacted by the “unknown unknowns (UUs)”. We need to start brining our unknown threats into the light of day, or a nice dashboard, so that we can act on them and protect our environments from them.

When we think of securing our information and our networks, we often start with our knowns. We know we need to defend our digital borders so we install firewalls. We know we need to protect our endpoints so we install anti-malware software. We may even know that we need to protect our data and we deploy a Data Loss Prevention solution, but I rarely see folks do this intentionally, and if they even have a solution it isn’t tuned and is a check box on some compliance form more than anything else. Admittedly that last one kills me because there are a number of solutions you can get that would have stopped any number of the breaches we have read about, and some we haven’t even heard about yet, but we don’t put the energy or budget into solving this one.

As we move to the more mature security environments you will find vulnerability scanning, looking for those known vulnerabilities, though an incredible 26% of companies said they didn’t have time to patch. Then you may introduce a Network Access Control solution, possibly from your network equipment vendor or one of the few remaining stand alone solutions, but again, I don’t see organizations actually utilizing the investments they have made in NAC. The list of solutions keeps growing as your organization matures, but often times the investment in tools does not mean that they are being deployed or tuned, and that your staff is being trained on them.

With more tools, comes more alerts, and with more alerts comes alert fatigue. I have walked into many a SOC (Security Operations Center) and found alerts all over the screens and analysts just sitting at their desks ignoring them. Like the boy who cries wolf, the alerts had trained the analysts to ignore them. The scary thing is any of those alerts could have been critical and truly important, but because of all the noise it would have been ignored with all of the others.

This is where have a good solution to monitor all of your tools, endpoints, logs and network data is necessary. If done right it will lower your alerts, so that your analysts can spend time on the most critical events, and it will also give you visibility into your environment so you can find those UUs. I have mentioned the NCTOC Top 5 SOC Principles before, and want to point out that number 2 on that list is visibility. We must build visibility into our environments, not just for the UU’s, but to alleviate alert fatigue and give your team their best chance at stopping a breach or other organization impacting event.

posted by holliday at 12:36 pm  

Saturday, May 5, 2018

The Art of Best Practices…

In Information Security “Best Practices” are commonly referred to, but rarely practiced. This is the cause of most of the breaches and hacks that plague us today.

One best practice that isn’t sexy, but is incredibly necessary is updating. This is often a battle with different business units, which means a breach is inevitable. Possibly the hardest part about being an information security professional is convincing the business to do what is best for it. This is where understanding the business, and being able to speak the same language as the executives is key. It also helps if you have the data to back you up, but that is another topic.

At RSA 2018, Dave Hogue, Technical Director for the NSA, discussed how they secure themselves from 0-days using their own principles, including hardening to best practices. We live in a world where our adversaries are able to engineer attacks for disclosed vulnerabilities faster than most organizations are able, or willing, to patch. If you would like to keep your organization secure, you will need to find a way to convince it to keep up with patches and follow as many other best practices as possible.

And if you need a list of best practices, there are plenty out there to choose from.

posted by holliday at 4:27 pm  

Thursday, April 26, 2018

When your adversary makes a mistake…

There is a perception that cyber criminals and nation state hackers are untouchable, and that hacking or cybercrime is low risk to the attacker. While this may be true in some cases, we have seen more and more hackers caught and sentenced for their digital crimes. It has become very apparent that if you commit a digital crime, you have a pretty good chance of ending up in a physical prison cell.

How do we capture these criminals? Just like in real life, we look for their mistakes. Whether it is sharing pictures on Facebook, or forgetting to login to an anonymizing service, these digital desperados are just people, and eventually everyone will have a slip up.

Napoleon said it well, “Never interrupt an enemy making a mistake.” We need to be patient and vigilant, because eventually our adversaries will make a mistake and we need to be ready for it.

That is all for now. Happy hacking!

posted by holliday at 8:57 pm  

Thursday, April 19, 2018

When the lights go out…

For years, information security researchers have warned about attacks on ICS (Industrial Control System) infrastructure at power and water facilities but this year we may finally start seeing some executives taking it seriously…or are they?

In 2010, the world became aware of Stuxnet, an elegantly designed piece of malware targeted at SCADA (Supervisory Control and Data Acquisition) systems at Iran’s Natanz nuclear facilities. The goal of the malware was to cause the centrifuges at the facility to fail, and by all accounts it was very successful. Stuxnet woke up the information security world to the risk of what malware targeted against ICS/SCADA systems could do, and the risks we all faced. Sadly, many people in the C-Suite believed, as many people do, that attacks only happen to other people.

In 2017, the Triton\Trisis malware was discovered to be targeting a vulnerability in Schneider Electric’s Triconex firmware. One victim was reportedly in the Middle East, but how many organizations have been truly impacted is unknown. This RAT (Remote Access Trojan) triggered an emergency systems shutdown before it could deploy its payload, or we may have never have discovered it.

One of the interesting functions in both of these different malware samples is their ability to collect information from the systems they have infected. Stuxnet used this capability to replay information to the monitoring systems to show that everything was okay, while in reality the centrifuges were failing. Advanced, and motivated adversaries build these carefully crafted attacks to not only cause destruction, but to hide themselves and what is truly going on in the environment to extend their ability to cause damage. It is both impressive, and terrifying.

In a recent survey by Tripwire, people from the energy sector were asked about their concerns, the classic “What keeps you up at night?”. The answers were interesting if not expected.

91% responded that they were worried about cyber attacks against their ICS systems. It makes sense that they would be concerned, but I wonder if the other 9% didn’t understand the question. If you are in the energy sector and are not worried about this, then you should be replaced because you don’t understand your threat model and what you are up against.

70% responded that they were concerned that an attack would result in a catastrophic event. With the capabilities that Stuxnet, Industroyer, and Triton have at their disposal, the likelihood of an incident that causes massive loss of life is growing.

The one statistic that I really want to share, is that 56% of respondents stated that they will only see more security investment “Once there is a significant attack” against them. This is incredibly telling. This comes from the idea that it is cheaper to fail or be breached, than to properly secure your environment. Sadly this has proved out to some degree, and even more sadly shareholders are valued over lives.

I am sure we will see even more attacks moving forward, and I can only hope that we learn how to properly invest, and protect our energy and water facilities before it’s too late.

posted by holliday at 1:08 pm  

Saturday, April 14, 2018

The Cybersecurity Talent Gap

It has been talked about for years, but the cyber security talent gap, or the ability to hire information security folks with any real expertise, is still massive. In a recent study it was taking some organizations over 6 months to fill a position. Couple that with the ever increasing rise in cyber crime, and it doesn’t look pretty.

I spoke on Cybersecurity Education a few years ago, and the numbers then showed we would have over 1,000,000 unfilled seats by 2019, and from other reports it looks like we are already there. We are seeing more, and more need for individuals that can perform key cybersecurity duties, and a greater lack of skilled candidates than anticipated.

When I spoke, I mentioned we needed to train people using techniques such as gamification, and now a report from McAfee is looking at bring gamers into the field. I think this is a good idea, but they have to want to make the jump. Cybersecurity is a lot of fun, but only for those who are passionate about it. Gamers may be more likely to enjoy it than others because they are used to having an active adversary they are competing against. I know I love it.

One thing that seems to have been lost in the talent gap is how do we retain talent. As an industry we really need to make sure our executives and HR teams understand that it is easier to train someone, than hire the perfect candidate. Offering competitive training and helping your own people to future proof their careers, is a way to keep your best, and most loyal employees, but also to differentiate your organization when you are trying to hire that ever, elusive candidate.

To end with some good news, it is only taking organizations 101 days to discover an incident , down from 416 days in 2011. I mean, it isn’t great but we take any win we can.

posted by holliday at 4:59 pm  

Thursday, April 5, 2018

Another week, another…

Every week I wake up to news of a breach, or that a previous breach’s headcount has increased, or there is a new attack. We are still living in a digital wild west, where security sheriffs try and protect their town, but marauding bands of thieves continue to pillage with almost no risk of being prosecuted. Time to pull ourselves up from the latest news and get back to protecting our users.

Here are a few stories from this week that made the headlines and drove home the point that we have to do better.

After all of the news about Facebook giving access of user’s data to third party companies, which was then used against those user’s, the hits keep coming with the number of user’s impacted rising to at least 87 million and it will probably continue to grow.

As much as I love Panera’s soups and sandwiches, the way it deals with security vulnerabilities leaves much to be desired. If companies continue to behave like this, researchers will stop reporting vulnerabilities and the impact to the company will be much worse.

Anytime we make a tool for law enforcement, we must assume that it will be used by criminals, or in this case spies. Once a technology is available to anyone, it is available to everyone. We need to think about this as the battle over encryption and backdoors continues to be fought.

I like to end things on a fun note, so if you are going to be walking through a jungle you may not want to wear “Obsession for Men” unless you like the attention of cougars, and not the human kind.

posted by holliday at 8:43 am  

Friday, January 19, 2018

There is no edge…

I remember early in my career that when it came to security you had to protect the edge. You put in a firewall, then you would put in an IDS as we moved forward, and everything was about the edge. It was a castle model. Basically, we built the walls, the moats and all number of protections to keep the invaders out. I don’t need to rehash all of this because it has been talked about before.

Move forward to the last few years and the edge has dissolved. We have kept up our walls and protections but our business has moved beyond our walls. Our business is done in the fields, and other towns and castles, or all the way across the world. The invaders don’t need to come to our gates anymore, we take our treasures to them, in the shape of our mobile and cloud connected devices.

This week a new malware campaign, Skygofree, hit the news wire and it was completely focused on mobile endpoints. As I was reading different reports about the malware I thought about how easy we have made it for the invaders.

We built our defenses, but haven’t trained our people who were inside the gates how to defend themselves, or even what to look for in an attack. We gave our people access to our resources from anywhere in the world, but not the tools (mental or digital) to protect them. Then we wonder why we were breached.

The digital world continues to move forward at break neck speeds and our protections continue to dwell in the dark ages. Until we wake up to the new reality that there is no edge, we are leaving ourselves ripe for pillaging.

Train your users, build protections into your mobile workforce devices, and keep an eye to the future as there will be new, emerging technologies that will change our protection landscape again before we know it.

posted by holliday at 11:58 am  

Friday, January 12, 2018

…and a Happy New Year!

The New Year wasted no time in dropping some great (and terrible) vulnerabilities. Let’s hope the rest of this year can keep up with how it has started.

posted by holliday at 5:09 pm  

Monday, August 14, 2017

Defcon 25 Recap

This year marked the 25th anniversary of Defcon, and my 10th year attending. Defcon continues to grow, this year eclipsing 25,000 attendees. It is incredible to see all of the different people that attend every year and how we as a community continue to grow.

During the opening keynote, Alex Stamos of Facebook hit on a few key things that really resonated with me. One of which was that we need to build up the next generation of Engineers. The people that will be coming after us, that we need coming after us, to help secure the Internet going forward.

It hit home because this summer I helped set up a Cyber Skills Exercise for a program that was built for middle school girls called “Cyber Warrior Princess”. It was really cool to see the way the kids jumped in and were excited to learn. We could learn a lot from them on maintaining our enjoyment of technology and not becoming stale. These young women are going to be attending (possibly) Defcon in a few years time, and I want the conference to be something they can enjoy.

There were many other good briefs during Defcon, Digital Vengeance being one I really enjoyed. It was nice to see that malware, RATs specifically, were as buggy as any other code and could be used to strike back (within legal limits) at your adversaries.

Another brief, a talk by Kasparov, was really inspirational and helped re-energize me. His mind is incredible and it was great to see a talk with such big ideas.

A lot of Defcon has turned into “Hallway-Con” and that is okay. With such a large community it is hard to get to see everyone, and this is one of the few opportunities through out the year that we can all connect. I know that without Defcon I probably wouldn’t get to see a number of my close friend’s in person on an annual basis as we are geographically dispersed and all busy with our careers and families. So when people call it “Hacker Summer Camp” I wholeheartedly agree.

I am excited to see where the next year takes us. Hack the Planet!

posted by holliday at 9:24 am  

Sunday, September 11, 2016

Random thoughts on sharing information…

Good morning, World! Or should I say, Hello? A brief note, this is not about information security. It is more about information and how our world has shifted in the way that we share it.

Recently I have had the good fortune to speak at a few conferences and to sit down with other speakers and really talk. We didn’t discuss our talks, we discussed life and ideas. I was able to spend dinner with one colleague and speaker two nights in a row at the most recent event and our conversations drifted from work, to life, to faith and ideas on religion and humanity. It really impressed upon me the importance of in person communication and thoughtful conversation. My mind and heart were opened and I was able to really understand where this person was coming from and reflect on my life as well.

This morning, I decided against getting on Facebook. Stay with me, these thoughts are connected. I am tired of the false communication and false closeness social media promises. It wears me out. We have this fake connection to our “friends” but not in any truly meaningful way. It is funny to see how many of my friends I wouldn’t be friends with if I had met them through social media. One of the reasons for this, at least in my mind, is that we see little half thoughts. Little snippets of a false personality that we all show to the world through social media channels. There is no way to share, because it is all projection, our true selves. There is no way to really know someone through social media.

I am going to try my own social experiment and be truly social (he says as he types into his blog), and try to not communicate through memes and links, and sound bites. Sound bite friendships aren’t enough for me. I want to really communicate with people and to expand myself by really learning about them. In my mind’s eye, I see an old, English club where people sit around in leather chairs, drinking whiskey, smoking tobacco pipes and discussing the Universe.

Time to go build a time machine…

posted by holliday at 10:56 am  
Next Page »

Powered by WordPress