Hack The Planet

Because if you don't, who will?

Thursday, April 19, 2018

When the lights go out…

For years, information security researchers have warned about attacks on ICS (Industrial Control System) infrastructure at power and water facilities but this year we may finally start seeing some executives taking it seriously…or are they?

In 2010, the world became aware of Stuxnet, an elegantly designed piece of malware targeted at SCADA (Supervisory Control and Data Acquisition) systems at Iran’s Natanz nuclear facilities. The goal of the malware was to cause the centrifuges at the facility to fail, and by all accounts it was very successful. Stuxnet woke up the information security world to the risk of what malware targeted against ICS/SCADA systems could do, and the risks we all faced. Sadly, many people in the C-Suite believed, as many people do, that attacks only happen to other people.

In 2017, the Triton\Trisis malware was discovered to be targeting a vulnerability in Schneider Electric’s Triconex firmware. One victim was reportedly in the Middle East, but how many organizations have been truly impacted is unknown. This RAT (Remote Access Trojan) triggered an emergency systems shutdown before it could deploy its payload, or we may have never have discovered it.

One of the interesting functions in both of these different malware samples is their ability to collect information from the systems they have infected. Stuxnet used this capability to replay information to the monitoring systems to show that everything was okay, while in reality the centrifuges were failing. Advanced, and motivated adversaries build these carefully crafted attacks to not only cause destruction, but to hide themselves and what is truly going on in the environment to extend their ability to cause damage. It is both impressive, and terrifying.

In a recent survey by Tripwire, people from the energy sector were asked about their concerns, the classic “What keeps you up at night?”. The answers were interesting if not expected.

91% responded that they were worried about cyber attacks against their ICS systems. It makes sense that they would be concerned, but I wonder if the other 9% didn’t understand the question. If you are in the energy sector and are not worried about this, then you should be replaced because you don’t understand your threat model and what you are up against.

70% responded that they were concerned that an attack would result in a catastrophic event. With the capabilities that Stuxnet, Industroyer, and Triton have at their disposal, the likelihood of an incident that causes massive loss of life is growing.

The one statistic that I really want to share, is that 56% of respondents stated that they will only see more security investment “Once there is a significant attack” against them. This is incredibly telling. This comes from the idea that it is cheaper to fail or be breached, than to properly secure your environment. Sadly this has proved out to some degree, and even more sadly shareholders are valued over lives.

I am sure we will see even more attacks moving forward, and I can only hope that we learn how to properly invest, and protect our energy and water facilities before it’s too late.

posted by holliday at 1:08 pm  

Saturday, April 14, 2018

The Cybersecurity Talent Gap

It has been talked about for years, but the cyber security talent gap, or the ability to hire information security folks with any real expertise, is still massive. In a recent study it was taking some organizations over 6 months to fill a position. Couple that with the ever increasing rise in cyber crime, and it doesn’t look pretty.

I spoke on Cybersecurity Education a few years ago, and the numbers then showed we would have over 1,000,000 unfilled seats by 2019, and from other reports it looks like we are already there. We are seeing more, and more need for individuals that can perform key cybersecurity duties, and a greater lack of skilled candidates than anticipated.

When I spoke, I mentioned we needed to train people using techniques such as gamification, and now a report from McAfee is looking at bring gamers into the field. I think this is a good idea, but they have to want to make the jump. Cybersecurity is a lot of fun, but only for those who are passionate about it. Gamers may be more likely to enjoy it than others because they are used to having an active adversary they are competing against. I know I love it.

One thing that seems to have been lost in the talent gap is how do we retain talent. As an industry we really need to make sure our executives and HR teams understand that it is easier to train someone, than hire the perfect candidate. Offering competitive training and helping your own people to future proof their careers, is a way to keep your best, and most loyal employees, but also to differentiate your organization when you are trying to hire that ever, elusive candidate.

To end with some good news, it is only taking organizations 101 days to discover an incident , down from 416 days in 2011. I mean, it isn’t great but we take any win we can.

posted by holliday at 4:59 pm  

Thursday, April 5, 2018

Another week, another…

Every week I wake up to news of a breach, or that a previous breach’s headcount has increased, or there is a new attack. We are still living in a digital wild west, where security sheriffs try and protect their town, but marauding bands of thieves continue to pillage with almost no risk of being prosecuted. Time to pull ourselves up from the latest news and get back to protecting our users.

Here are a few stories from this week that made the headlines and drove home the point that we have to do better.

After all of the news about Facebook giving access of user’s data to third party companies, which was then used against those user’s, the hits keep coming with the number of user’s impacted rising to at least 87 million and it will probably continue to grow.

As much as I love Panera’s soups and sandwiches, the way it deals with security vulnerabilities leaves much to be desired. If companies continue to behave like this, researchers will stop reporting vulnerabilities and the impact to the company will be much worse.

Anytime we make a tool for law enforcement, we must assume that it will be used by criminals, or in this case spies. Once a technology is available to anyone, it is available to everyone. We need to think about this as the battle over encryption and backdoors continues to be fought.

I like to end things on a fun note, so if you are going to be walking through a jungle you may not want to wear “Obsession for Men” unless you like the attention of cougars, and not the human kind.

posted by holliday at 8:43 am  

Friday, January 19, 2018

There is no edge…

I remember early in my career that when it came to security you had to protect the edge. You put in a firewall, then you would put in an IDS as we moved forward, and everything was about the edge. It was a castle model. Basically, we built the walls, the moats and all number of protections to keep the invaders out. I don’t need to rehash all of this because it has been talked about before.

Move forward to the last few years and the edge has dissolved. We have kept up our walls and protections but our business has moved beyond our walls. Our business is done in the fields, and other towns and castles, or all the way across the world. The invaders don’t need to come to our gates anymore, we take our treasures to them, in the shape of our mobile and cloud connected devices.

This week a new malware campaign, Skygofree, hit the news wire and it was completely focused on mobile endpoints. As I was reading different reports about the malware I thought about how easy we have made it for the invaders.

We built our defenses, but haven’t trained our people who were inside the gates how to defend themselves, or even what to look for in an attack. We gave our people access to our resources from anywhere in the world, but not the tools (mental or digital) to protect them. Then we wonder why we were breached.

The digital world continues to move forward at break neck speeds and our protections continue to dwell in the dark ages. Until we wake up to the new reality that there is no edge, we are leaving ourselves ripe for pillaging.

Train your users, build protections into your mobile workforce devices, and keep an eye to the future as there will be new, emerging technologies that will change our protection landscape again before we know it.

posted by holliday at 11:58 am  

Friday, January 12, 2018

…and a Happy New Year!

The New Year wasted no time in dropping some great (and terrible) vulnerabilities. Let’s hope the rest of this year can keep up with how it has started.

posted by holliday at 5:09 pm  

Monday, August 14, 2017

Defcon 25 Recap

This year marked the 25th anniversary of Defcon, and my 10th year attending. Defcon continues to grow, this year eclipsing 25,000 attendees. It is incredible to see all of the different people that attend every year and how we as a community continue to grow.

During the opening keynote, Alex Stamos of Facebook hit on a few key things that really resonated with me. One of which was that we need to build up the next generation of Engineers. The people that will be coming after us, that we need coming after us, to help secure the Internet going forward.

It hit home because this summer I helped set up a Cyber Skills Exercise for a program that was built for middle school girls called “Cyber Warrior Princess”. It was really cool to see the way the kids jumped in and were excited to learn. We could learn a lot from them on maintaining our enjoyment of technology and not becoming stale. These young women are going to be attending (possibly) Defcon in a few years time, and I want the conference to be something they can enjoy.

There were many other good briefs during Defcon, Digital Vengeance being one I really enjoyed. It was nice to see that malware, RATs specifically, were as buggy as any other code and could be used to strike back (within legal limits) at your adversaries.

Another brief, a talk by Kasparov, was really inspirational and helped re-energize me. His mind is incredible and it was great to see a talk with such big ideas.

A lot of Defcon has turned into “Hallway-Con” and that is okay. With such a large community it is hard to get to see everyone, and this is one of the few opportunities through out the year that we can all connect. I know that without Defcon I probably wouldn’t get to see a number of my close friend’s in person on an annual basis as we are geographically dispersed and all busy with our careers and families. So when people call it “Hacker Summer Camp” I wholeheartedly agree.

I am excited to see where the next year takes us. Hack the Planet!

posted by holliday at 9:24 am  

Sunday, September 11, 2016

Random thoughts on sharing information…

Good morning, World! Or should I say, Hello? A brief note, this is not about information security. It is more about information and how our world has shifted in the way that we share it.

Recently I have had the good fortune to speak at a few conferences and to sit down with other speakers and really talk. We didn’t discuss our talks, we discussed life and ideas. I was able to spend dinner with one colleague and speaker two nights in a row at the most recent event and our conversations drifted from work, to life, to faith and ideas on religion and humanity. It really impressed upon me the importance of in person communication and thoughtful conversation. My mind and heart were opened and I was able to really understand where this person was coming from and reflect on my life as well.

This morning, I decided against getting on Facebook. Stay with me, these thoughts are connected. I am tired of the false communication and false closeness social media promises. It wears me out. We have this fake connection to our “friends” but not in any truly meaningful way. It is funny to see how many of my friends I wouldn’t be friends with if I had met them through social media. One of the reasons for this, at least in my mind, is that we see little half thoughts. Little snippets of a false personality that we all show to the world through social media channels. There is no way to share, because it is all projection, our true selves. There is no way to really know someone through social media.

I am going to try my own social experiment and be truly social (he says as he types into his blog), and try to not communicate through memes and links, and sound bites. Sound bite friendships aren’t enough for me. I want to really communicate with people and to expand myself by really learning about them. In my mind’s eye, I see an old, English club where people sit around in leather chairs, drinking whiskey, smoking tobacco pipes and discussing the Universe.

Time to go build a time machine…

posted by holliday at 10:56 am  

Monday, March 7, 2016

Another year, another RSA conference…

As another RSA conference comes to an end and we all cycle back into our lives, I am glad I was able to attend so that I could meet with old friends and walk the floor to see how large our industry has become.

It is incredible how many vendors there are, and how many of them claim to solve the same problem. With so many companies that offer Threat Intelligence and the ability to protect against Advanced threats, it is a wonder we haven’t solved this whole Information Security thing by now. The truth is though, most of these companies are just putting new branding around old technology and hoping no one notices.

One positive change I saw was the number of companies offering training services to help make more people proficient in the Cyber. There is a severe lack of talent in this space, and with the continuing growth and maturation of the cybercrime industry, we need all the help we can get.

One interesting note is the head of the NSA saying Data Distortion is one of the three things keeping him up at night. It is good that intentional data manipulation is getting the discussion it deserves. After the OPM (Office of Personnel Management) breach I had many conversations about the effects it would have, not just on the information that was stolen, but on what information could be trusted after that type of breach. With the rise of Cyber Espionage, data breaches may be less about what they take, and more about what they add or modify. I am guessing that Data Integrity products (read: Encryption) will be the next products to get a makeover and re-branding.

I guess we will see if I am right at RSA next year, or maybe even Black Hat this year.

posted by holliday at 10:50 am  

Monday, February 22, 2016

Basic Economics is why we fail at Security…

In the InfoSec community we often rail against people not doing enough to secure their data. If they had only installed this, or hadn’t installed that. Why can’t these people understand?

The issue we run into is not that they don’t want to secure their information, they just can’t afford to do it. This week we saw a hospital and a school pay criminals to get ransomeware removed from their networks. The amount they paid was $17,000 and $8,500 respectively.

The reason I point this out is that they probably won’t be fined and so all they are out is a few thousand dollars and a little bad press. These institutions won’t really lose that much face though. They will be pitied that they were attacked by Big Bad Hackers, and then people will forget it happened. If you look at Target and Home Depot, two of the bigger breaches in the US, the overall impact to the business was minimal.

In the end it is more expensive to try and protect information, than it is pay the fine for a breach, or pay the criminals that encrypt your data and hold it for ransom. When you think about how much it costs just to hire someone capable of knowing how to protect your data you are already in the six figures, with just one person. You have already paid more than four times the amount that this hospital and school paid to get their information back, combined. This is all before you buy any security tools, which are never cheap.

At the end of the day, we are losing this battle because the cost of failure is acceptable.

How can we change the cost of failure to be in our favor? Do we increase the fines for being breached? Since share holders care about the bottom line, companies are incentivized through the lack of large fines, to be less secure. It could be argued that increasing fines would drive companies to not report breaches. There are laws today that require companies to report if they have been breached, but does it cost that much more to be fined for not reporting? Companies gamble all of the time this way, I’m looking at you VW. Our criminal counterparts at the same time, thinking like Walmart, know they can just charge less and keep getting paid.

Sadly, I don’t think the change will happen until attacks like the Sony hack become more frequent, forcing companies to re-evalute the cost of failure.

posted by holliday at 10:09 am  

Monday, February 15, 2016

How the years change us…

It is interesting to go back and reflect on what we have written, what we have created, and think about who we were then. I know that for me it is a pretty stark change. I hope that the change is good, but as with anything, that is in the eye of the beholder.

I think that when we look at people, at companies and nations, we need to be more forgiving of their past and, while not completely ignoring it, listen to who they want to be today. Many times we find that nations change more than individuals.

Just looking at the United States, I see a stark divide between where we were 20 years ago and where we are today. Sadly, from my perspective it is not actually better. I had a lot of hope that we were in the middle of something amazing. That technology and the internet were going to change our lives forever. They have, just not in a way I and many others expected.

When I read The Declaration of the Independence of Cyberspace I imagined another world. Today I just see another store front. But reading it again, 20 years later, I am filled with the same hope. We doers have the ability to make the Internet, the world wide webs, Cyberspace, whatever you want to call it, a place of Mind.

Or it can continue to be the Walmart of the future…

posted by holliday at 7:07 pm  
Next Page »

Powered by WordPress