Tag Archive for: Attack

Congratulations on StubHub Arrests

I would like to offer my congratulations to the private and public entities that participated in the recent investigation and arrests of cyber criminals in New York City, Ontario, Canada, and London, United Kingdom.  A tremendous amount of hard work and dedication from all parties is required to successfully dismantle an international criminal enterprise.  The success we witnessed this morning should be used as the gold standard upon which future collaboration between private companies and the International law enforcement community are modeled.

hacker_handsCollaboration at this scale is required to turn the tables on cyber criminals. The impact of today’s events should not be underestimated: this is bigger than any individual arrest.  The global law enforcement community has sent a strong message to the individuals who commit these crimes – You are no longer safe to travel and operate outside of your home country, without significant risk of arrest and prosecution. Isolation is a powerful force in the effort to change behaviors.  Confined within the borders of their home countries, I suspect we’ll see a change in behavior on the part of some of these criminals.

Continued success with prosecutions will have a lasting effect on cyber criminal behavior… but it is not a silver bullet.  Cyber attacks and data breaches are still way too easy for attackers with even a moderate level of skill.  We must continue working to make our systems and economy more resilient to attack.

I recently joined RedSeal Networks to work on this specific problem, making it easier for network owners to protect their assets and defend against intrusion and data breach.  I’m looking forward to the coming months when we share more of our plan to make network security something that we aren’t just striving to attain, but something we actually have in our toolkit to counter cyber threats.

A Question of When, not If

Breached!  This is the new watchword in the executive office suite these days.  Ever since Brian Krebs revealed to the world that Target had been breached, every company is on notice.   While the primary role of the CEO is revenue and growth, there are a host of other activities that support revenue and growth.  Namely, the company’s employees and its data infrastructure are critically important for every company.  But what about the network?

Having been an investor in network infrastructure for a couple of decades, I know chances are very high that your company’s network has been built over decades, by scores of people of varying skill levels.  Chances are your network is very complex, beyond what any person or team can truly understand.  Chances are your network runs your business more than you really appreciate, and without it your business would stop.  It’s just as important as your manufacturing and supply chain, or your service centers, or your employees.  The network is a strategic asset of the corporation.

tweezersThis was brought home in a powerful way when I recently attended a cyber security meeting in London.  In addition to briefings with a number of industry analysts, this meeting also included a panel discussion with about 15 CISOs from various industries like finance, not-for-profit, publishing, media, banking, and manufacturing.  To a person these CISOs said two things.  First, their greatest need was skilled personal to run their networks.  Second, their senior management was asking questions about not “if” they were breached but what they would do “when” they were breached.  This shift in attitude, driven by all the news in recent years about breaches at large, household-name companies, was an “ah ha” moment for me.

Your company will be breached, or you will fall victim to some other network crime.  As CEO, you must prepare yourself for these events.  A lot can be done to prevent most breaches, and to be prepared when one inevitably does happen.  It starts by knowing just how your network is built and operated.  As trite a statement as it is, the truth of the matter is this:  If you don’t know how your network is built, how can you possibly secure it?

Have you asked your CISO what the plan of action is when a cyber attack is successful?  Does your board understand the liability of a successful attack?  Regrettably, it is a matter of when, not if.

Your Security Has Been Compromised

On an autumn day in 2008 while I was an active, practicing journalist, I sat in my office and interviewed Todd Davis, CEO of LifeLock for my article on scanning the underbelly of the web. Todd is perhaps best known for appearing in ubiquitous advertising and broadcasting his Social Security Number. At the time, it was becoming clear that online threats to identity theft were growing dramatically, and they were introducing their new service to help their customers avoid appropriation of their identity online.

chessWe’ve come a long way since then. So far, in fact, that the NSA has change their strategy in a way that should send a shiver down the back of everyone responsible for enterprise security: They have switched to assuming that security has been compromised.

Let that settle for a moment. The NSA, the organization most responsible for understanding the cyber-security stance of the United States, its allies, and other countries and organizations worldwide has changed its approach to an assumption of breach.

As I noted in Inside the Mind of an Attacker and Inside the Mind of an Attacker (Pt 2), the motivation and environment of attackers has changed. Now, those with the greatest amount of information are agreeing that the situation has shifted.

With more than 100 foreign intelligence agencies targeting assets plus a likely greater number of criminal organizations, you need to decide how you are going to defend against this new environment. What tools and approach will you use once you recognize that evil actors are in your network? What does defense mean with this mindset?

What’s your answer?

Inside the Mind of an Attacker — Part 2

Recently, on a rainy Colorado afternoon, I sat down at my kitchen table to decide how I was going to upgrade our home security system. Just as anyone who has gone through this process would do, I walked around the house and looked at all of the possible ways an intruder could attempt to enter. I thought like an attacker, and determined how I would defend against any attempt to gain access.

This is how all physical security defense is done: analyze all possible access paths and put defenses into place at each one: locks, sensors, access codes, lights, and other approaches combine to create a defensive shield.

While this approach is obvious for physical defense, it’s rarely employed in defense of enterprise systems and networks. Instead, many organizations rely redroboton the equivalent of a guard sitting at one entrance expecting to see all access attempts when there are other doors to breach and a back fence that can be scaled.

One of the reasons for this approach is the incredible complexity of even the most basic enterprise network. With dozens to tens of thousands of extremely complex devices interconnected in an entwined web of cables and wireless meshes, it is, quite literally, impossible for humans to parse much less accurately understand and manage. You need systems to do it for you.

Much like home automation is coming into the mainstream with both Google and Apple offering integrated means for monitoring and managing everything from temperature and lights to locks and door status, automation for networks to be sure that your network is configured the way you expect and doing it the way you want it to be done is mission critical.

If you missed the initial post on this topic, see Inside the Mind of an Attacker: Part 1

Inside the mind of an attacker

This morning, I woke up, walked downstairs, and performed my morning rituals, including a review of OmniFocus on my iPad to see what was on tap for today. I looked at my list of projects, my next actions, and those items that are due in the next few days. Then, I went to work.

In many homes across the world, days began in similar fashion. Some of those reviewing their projects, however, had a decidedly different thematic thread: their projects have the goals of breaking into the networks and servers of key government and industry organizations for purposes of espionage, theft, or disruption. And they get paid to do it.

Some of us remember the earliest days of the Internet when servers were open to all. In fact, anyone could log onto the root account at Richard Stallman’s server and create their own personal account. My, how far we’ve come when breaking into networks and systems is a career path!

In the early days of people breaking into systems and networks, most actors were solo and focused on showing their own skills while demonstrating the weakness of those they attacked. Early viruses and worms (like the Morris Worm) were often the result of bugs in the target systems and mistakes in the attacking code.

hackerToday, governments across the world are applying their resources investing in full-time staff to break into systems and networks in other parts of the world. From the Syrian Electronic Army to the People’s Army, the US Government, and organized crime, attacks come from many different sources looking for a variety of results. This means the mentality is professional, organized, and coordinated, and the attackers are motivated by a variety of results, from financial to patriotic.the early days of people breaking into systems and networks, most actors were solo and focused on showing their own skills while demonstrating the weakness of those they attacked. Early viruses and worms (like the Morris Worm) were often the result of bugs in the target systems and mistakes in the attacking code.

Knowing this, it’s essential that you determine the best way for you to defend against these attackers. They aren’t going to give up, so you need to be diligent and focused on your defenses. And we’ll talk more about that next time.

Negative Unemployment

I recently attended a gathering of Wall St CISOs, one of whom referred to the “negative unemployment” in our industry.  I thought this was a great phrase, and I’ve found it’s a quick way to get across some quite deep points about current security.

At first, it just sounds cute, but in practice, it’s about as cute as the Oil Crisis.  Bad guys have figured out how to make money by attacking our weak defenses.  We’re scrambling to catch up.  The C-Suite and the board are more accommodating than they have ever been – something to do with the recent dismissal of the Target CEO, I shouldn’t wonder.  We know we need people, so we go to hire them, and what do we find?  Bad resumes.

knowledgegapHave you found it easy to hire the talent you need?  If so, lucky you – feel free to drop hints in the comments section (or just gloat – your peers tell me they aren’t having it so easy).

It makes for an ugly choice.  Do we hold standards high, waiting for people with the right skills to come along?  Or do we hope to train people new to the field?  As I look around, I can see our discipline soaking up some people of – how should I put it? – marginal aptitude.  I’ve seen this before – I remember the go-go days of the late 90’s, when Silicon Valley start-ups sucked in all kinds of people with no business working in such environments.  When that went all pear-shaped, it wasn’t so bad – sure, some stock options suddenly lost a zero or two in value, but it’s not really fair to whine about that.  Watching the same thing happen in corporate IT security is a much scarier proposition.