Archive for January, 2010

And Now the Petroleum Industry

OK, OK, I promise to move on after writing far too much lately concerning the waves of cyberattacks that are ostensibly coming from China. But I cannot resist writing just once more about this subject because of the huge implications for information security that the attacks that have now targeted the petroleum industry have. You probably are aware of the several day old news that ExxonMobil, Marathon and ConocoPhillips experienced attacks in which the perpetrators penetrated far into their networks where some of the most business-critical information was stored.

Over the years, I’ve done some kind of consulting work for every major petroleum company, and I’ve had a long-term relationship with some of these companies. Additionally, my father spent over 40 years of his career in the petroleum industry. I thus have learned quite a bit about the way this industry perceives and deals with information security risk. Several types of data were compromised in the recently reported attacks, but the most valuable type of compromised data are widely known as “basin seriatim” data. These are (please forgive my gross oversimplification) data that indicate where to drill for oil deposits as the result of using methods such as echo soundings. A petroleum company’s profitability depends to a large degree on ability to find sites that produce high yields of crude oil or shale. Each company performs soundings and other tests and then determines which sites appear to be most promising. Each company next submits a “lease bid” to obtain the right to explore for and produce oil from each chosen site. Because competition for certain geographical areas among oil companies can be extremely competitive, closely safeguarding basin seriatim data against unauthorized disclosure is highly critical from a business perspective. Strong controls against unauthorized access to these data are almost without exception in place on servers that store such data throughout the petroleum industry. Unauthorized destruction or alteration of these data could also be ruinous to a petroleum company, so strong controls to counter these risks are also commonly implemented throughout the industry.

I would rate the petroleum industry as *much* better than average in their practice of information security. Executive management within this industry for the most part understands the nature and magnitude of security risks much better than in most other commercial sectors. Furthermore, defense-in-depth strategies that include multiple layers of technical, physical and administrative controls for safeguarding valuable data and critical business processes are typically used. It is for this reason that the revelation that big petroleum companies have experienced massive breakins and information compromises (including compromises of basin seriatim data) shocks me so much.

What is perhaps even worse is that just like companies such as Lowe’s, TJX, and Heartland Payment Systems, the petroleum industry was unable to discover the waves of intrusions that started in 2008. Instead, U.S. law enforcement broke the news of the breakins to the petroleum companies in 2009. This strongly suggests that although the petroleum industry is using mainstream intrusion detection and intrusion prevention technology, this technology is simply not delivering what is needed from it. This should come as no surprise, as this kind of thing has been happening virtually everywhere for years. The nature of attacks has changed substantially within the last few years, but current “state’of’the’art” intrusion detection and intrusion prevention systems have the same basic detection mechanisms that they have had for years.

Security Information Event Management (SIEM) technology with strong event correlation functionality could and would have been highly useful in finding the attacks. Curiously, when I was in the SIEM industry a few years ago I approached the person in charge of intrusion detection in one petroleum company about the possibility of trying SIEM technology. I got absolutely nowhere—the person with whom I interacted was confident that the mainstream intrusion detection tools he was using were more than sufficient for his company’s purposes.

The message to organizations throughout the world is clear. If the petroleum industry has suffered a rash of such serious security incidents, and if this sector has exemplary security practices (which it for the most part does), no industry sector is safe. The real question now is which sector will be targeted next.

Categories: Uncategorized Tags:

Archive Everything Forever, Part 1

What do the Chinese Communist Party and FINRA (Financial Industry Regulatory Authority) have in common? They both want to control and/or censor all communications by their communities. In the case of the Red Chinese, of course, this affects things like whether Tiananmen Square gets sprayed with machine gun fire or Google gets to do business in China without shame. In the case of FINRA in the US, this affects whether registered representatives and their financial firm employers can use social media unfettered. Free speech? What free speech?
Recently, FINRA announced that financial firms are responsible for “monitoring” and “archiving” all communications on social media sites such as Facebook and Twitter by people in their employ, mostly targeting registered representatives, those authorized to trade securities for their firms, their clients, or who advise individuals about securities and financial markets.  In fairness, FINRA’s guidance sounds pretty reasonable: “supervise the use of social networking sites to ensure that recommendations are suitable and their customers are not misled.” And they also state that, “FINRA does not endorse any particular technology to keep such records, nor are we certain that adequate technology currently exists.” OK fair enough. But what to do?
This reminds me of deliberations I participated in back in the mid-1990s in which the security and operations people in regulated financial firms were told to “archive everything forever,” as a kind of “shot across the bow” by regulators frozen in the headlights of the exponentially growing phenomenon called The Internet. No known technology then satisfied “archive everything forever.” But that didn’t stop the regulators. There has always been a requirement to archive communications made on paper. Later, it was realized that a lot of faxed communications might be bypassing postal mail-based controls. Later still, recorded phone lines were required (creating kind of a “hot line” class of phones within trading rooms – if you needed to make a personal call, better use a pay phone or a big, clunky cell phone like the ones used by the “LowScore Band” in those commercials) which generated lots of coping behavior among those who needed to communicate regarding non-firm business. Trouble is, as was well-documented in the original “Wall Street” movie (Oliver Stone plans to release the sequel to the 1987 classic this year) fraudsters also could still escape monitoring by using the same coping mechanisms. Remember Charlie Sheen breathing into his phone, “Blue Horseshoe loves Anacot Steel”?
This also evokes memories of a case I worked on early in my Wall Street career. A young trader had posted a comment on a Yankees bulletin board (now there’s and arcane term for you in 2010…) in response to an inappropriate posting of a credit card offer on the same board. The credit card offer was not in any way illegal, but it so angered the young trader that he posted an expletive laced rant about how “this board is for Yankees fans,” etc. etc. from his firm email account. We got five or six sternly worded complaints from people, some of whose children were users of the Yankee-fan board site themselves, who were worried that our firm would tolerate such language. OK, personal speech by a trader on his lunch time. But: using a firm-provided and firm-identified email origin. This damaged the firm’s reputation. The young trader even said to us, “I knew I should have waited until I was home,” to make the angry post. He was not surprised to be fired. Fast forward to today, though. The distinction between personal and firm identified email is way fuzzier. Could someone have researched the IP address used for a typical HTTP session and linked the firm with the bad language in the same way? Maybe. Would the firm arrive at the same conclusion about perceived damage to reputation? Seriously open to question. This vivifies the problem regulators face today though it has nothing to do with fraud.
“Archive everything forever” was a great example of the kind of clueless regulation securities professionals have faced for a long long time. Remember, this statement came at a time when Bernie Madoff was probably into his second decade of his little scheme, and the SEC had already conducted its first investigation of Madoff Securities and found nothing untoward. The problem really is, in today’s climate of “get the greedy bankers,” it is likely that regulation designed to prevent fraud will get more draconian and less effective. What’s called for is banks and securities firms to take the initiative and provide tools to their employees and agents to help keep everybody out of trouble.
The answer, I think, is found in emergent information technologies today. Information security has reached a great watershed in its evolution from preventive, inwardly focused tools to externally focused, product and value enhancing tools. I foresee a day when it will truly be possible to differentiate firms by the security they demonstrate, not just dubious self-assertions. In Part 2 of this blog, we’ll develop this idea more completely.

Categories: Uncategorized Tags:

A Realiistic Look at Cutbacks in Information Security Practices

I read with some dismay a recent report by Foote Partners that said that the IT and IT security market is not likely to improve from its current dismal state until the end of this calendar year. Let’s face it—the last 18 months have been anything but ideal for information security professionals. I know many highly knowledgeable and accomplished information security professionals who have been out of work for a prolonged period of time now. Some are just about ready to give up—a real shame not only in terms of a psychological perspective, but also from the standpoint that their knowledge and skills are going unused when they could instead greatly contribute to risk management efforts and business enablement within organizations.

As I have said before, a certain amount of whining concerning the status of information security within organizations exists. The reasoning goes something like this: “Information security is really critical given the level of risks that my organization faces, but executive management remains clueless and indifferent about it.” I’ve also previously said that I believe that (as the CISM exam preparation materials state) if executive management does not really understand and value the contribution of information security to a business, it is imperative that the information security manager initiates an concerted effort to educate executives concerning what information security has accomplished and promises to deliver in the future. Doing this is no easy task, as face-to-face time with executive management is generally extremely limited, but somehow “best-of-breed” CSOs manage to succeed in this task.

There should be no mysteries concerning cutbacks in information security staffing. Bad economic times foster cost cutting measures, and seldom is any function or group within an organization spared from them. But then I got to thinking that groups and functions within organizations that are perceived to be extremely valuable from a business perspective generally fare better when it comes to staffing than those that are not. Staffing cutbacks within information security may thus be unusually easy for executive management to make when they do not really understand what information security brings to the table, so to speak. The fact that some of the top information security practices in the world are currently hiring information security professionals instead of laying them off serves as strong proof-in-point.

There is an old saying, one that I do not completely agree with, that goes like this: “Every victim participates in his own victimization.” I wonder to what degree this saying applies to some information security practices today. I wonder how many CSOs have viewed cutbacks as inevitable and, accordingly, have waited with dread until cutbacks have actually occurred in a kind of self-fulfilling prophecy scenario. I wonder how much different the staffing cutback situation in these practices might have been had there been more of an effort to fight the downsizing trend by instead attempting to educate executive management concerning the value of information security to the organization. The task is not by any means easy, true, but the effort is more than justified by the fact that the reward, if obtained, is so great.

Categories: Uncategorized Tags:

All Fingers Keep Pointing to China

The word that Google experienced numerous break-ins to its systems spread quickly last week. Not only were numerous Google systems breached, but as considerable amount of intellectual property was also stolen. The attackers exploited a zero-day vulnerability in Microsoft’s Internet Explorer as well as variety of other vulnerabilities. Google was not the only organization targeted by these attacks, however; reports indicate that approximately 30 other organizations (but most probably many more than this) also fell victim to the same type of attacks that started a little over one month ago and ended the first week in January this year.

The most recent round of attacks are really nothing new, and all fingers keep pointing to China as the source of the attacks. Why?

1. Compromised machines sent information gleaned from them to servers in China. The fact that this happened is, of course, no proof that the origin of the attacks was from China, as a group of attackers from another country could have broken into and gained control of these servers. Still, the fact that Chinese servers were involved in the malicious activity is one fact that points to China.

2. Google brought in an information security consultancy to determine what had happened. A consultant from this company reported that the sophistication of the attacks is very high—that the malicious code used in the attacks is far more complex than mainstream attack tools. By all appearances, the author(s) of this code must have obtained financing to be able to obtain the time needed to develop code of this level of sophistication; it is a well-known fact that China has financed such efforts in the past.

3. The malicious code discussed in 2. above incorporated a rarely found algorithm used to determine whether data corruption has occurred when it sends information. This algorithm’s source code has so far been found only on Chinese systems, another fact that implicates China.

4. Google reported that numerous attacks targeted the gmail accounts of human rights activists in China. The Chinese government has carried on a running battle with these activists for years and is highly motivated to find information about them and their activities.

5. Several Google employees with ties to China may have aided the attackers in their efforts. The employees suspected of having done this have had their network access suspended while an investigation is being conducted.

Interestingly, the US government announced that it would lodge a formal protest to China over the break-ins to US systems. Additionally, Google’s initial reaction was to announce that it was considering not doing business in China any more. I doubt whether anything either entity does with respect to China will make much of a difference because China is the proverbial 1000 pound gorilla. It is in many ways the enemy of the US and other free-world countries, yet these countries have a huge potential market in China and they can also obtain very affordable labor there. What everything boils down to is a cost-benefit analysis where the costs (e.g., constant break-ins into US systems, theft of trade secrets by bugging rooms, and more) are hugely outweighed by the benefits (e.g., gigantic sales opportunities and considerably cheaper labor). So, protests or not and threats to discontinue doing business or not, China is firmly in the driver’s seat, something with which the US government and the US commercial sector have had to come to grips.

Here is a final thought—who is the biggest provider of cloud computing services? Google is the correct answer. And the latest round of break-ins was by no means the first for Google. One might thus think that Google might not exactly be a world leader in the practice of information security. So once again we have a great example of just how great the risks associated with cloud security are.

Categories: Uncategorized Tags:

About Information Security Centers and Institutes

From time-to-time I read postings and news items in which someone from some organization named a “center” or “institute” is quoted or a study performed by one of these organizations is cited. For example, I recently saw a news item that stated that a certain institute had conducted a study that indicated that individuals who had certain information security-related certifications had a higher salary than others. I have often wrestled with how credible the various centers and institutes that operate within the information security arena are, so let’s explore this issue for just a little bit.

I have spent a good part of my career in academic institutions. In such settings, the right to have the title of “center” or “institute” in connection with any effort within the institution is generally tightly controlled. For example, suppose that for some reason, I as a faculty member at some university wanted to name my research program something like “Center for Advanced Studies in Information Security.” Unless I had a very substantial program in terms of significant levels of sustained funding, staff, and positive impact upon the scholarly environment, I would be unlikely to be allowed to use such a name in connection with the program.

Reality outside of academic institutions is completely different when it comes to using the title “center” and “institute,” however. There is virtually no validation of any center or institute actually having any implied expertise or functioning at any particular level. So, for example, I could create an entity, the “Schultz Institute of Advanced Research in Information Security,” and unless there were some kind of trademark infringement issue, I could operate under this impressive name until hell freezes over. I could have a staff of one, myself, or, if I were craftier, I could list a staff of ten people, all of whom agreed to have their names listed as a personal favor to me or perhaps in the hope that their professional stock might rise or that they might get some research or consulting work that they might not otherwise have gotten.

As far-fetched as my hypothetical example might seem to you, this kind of thing happens all the time. I was at a conference last spring in which the “executive director” of a fancily-named information security “center” made a presentation, one with which I frankly was not very impressed. I found out afterwards that this so-called center operated out of this person’s house and that he was the only active member of this “center.” Strangely, my initial impression was that this person must have been a very knowledgeable and influential person.

Please do not get the impression that I am saying that every or even most information security-related institutions and centers operate on a “smoke and mirrors” basis. Many of these organizations make substantial contributions to our field. At the same time, however, some very deliberately appear to be much more than they are. So when you read of a study on some information security-related issue, I’d advise you to not accept the reported findings and conclusions at face value. The study may not have been conducted properly, the sample size may have been far too small to allow generalization of the results, the so-called “research team” may have consisted of a single individual who may or may not have had proper credentials for conducting the study, the results may not have been properly analyzed, and the conclusions may or may not be valid. Consider also that the so-called “laboratory” in which data may have been collected may have actually been someone’s basement. Oh, and worse yet, some organization that strongly expected certain results and conclusions favorable to its marketing efforts may have financed the research in the first place.

The bottom line is that you should take names and titles of organizations with a grain of salt. Be skeptical. You can generally trust the very well-established ones such as SRI International and MITRE, and the Rand Corporation, but with the rest—caveat emptor once again applies.

Categories: Uncategorized Tags:

Privacy Issues with Full-body Scanning in Airports

The thwarted plane bombing incident last month continues to raise questions concerning flight security measures that should be in place. Already the U.S. government is placing more air marshals aboard international flights coming into this country in an attempt to deter would-be bombers, hijackers, and the like. According to what I have read, most Americans are in favor of this measure. The same is, however, not true of requiring full-body scans of passengers. Heated objections to this measure such as the following are being raised:

1. Full body scanners used by the Transportation Security Administration (TSA) reveal private body parts, a huge invasion of privacy.

2. These devices can store and send images. As such, images of essentially unclothed persons can potentially be obtained by unauthorized persons.

3. These devices can be rendered completely ineffective if someone knows how to tamper with their settings. The fact that many of these devices run on the Windows XP operating system allows for additional ways in which tampering can occur.

I am not comfortable with the fact that the U.S. government has collected all the personal information it has regarding individuals, myself very much included. Although some of this information may be necessary for security purposes, I am quite confident that much of it is not. In theory, U.S. citizens and residents are protected by the 1974 Federal Privacy Act, which was passed in response to growing concern that the US government was about to construct a huge database that made information about individuals centrally available. This law says that a federal agency can collect and store “records” about individuals only when doing so is necessary to do so to achieve that agency’s objectives. Additionally, when records of this nature are created, the agency that creates and stores them must inform the public accordingly, and must suitably safeguard them.

Doesn’t performing, storing and transmitting scans of essentially naked humans violate the Federal Privacy Act? Apparently not. The unfortunate truth is that this statute has proven to be woefully inadequate in protecting any kind of personal privacy whatsoever anyway. Any federal agency can obtain virtually any information about individuals that it wants with only the flimsy justification that it needs this information to do its business. And the U.S. Patriot Act only makes things worse from a privacy perspective. Lamentably, Americans are truly at the mercy of their government when it comes to privacy.

So—when airports obtain more full-body scanners and using these scanners becomes a routine part of the flight safety screening process, what will happen to the images of individuals that the TSA will obtain? I read a posting a few days ago that alleges that the TSA has said it does not intend to retain any such images. I wish I could believe this, but I cannot. If the technology to store and send these images exists, the government will invent some excuse to use it, especially given all the furor and panic over unsafe flying that some people, particularly certain members of the news media, are stirring up. The fact that the government may very well have full body scan images of me at some point in the future greatly troubles me because of the crass invasiveness involved. I fear that book authors Orwell and Huxley may well have been right in their depictions of a world in which individual rights were completely suppressed. But what also greatly troubles me is the risk of full body scan images falling into unauthorized hands. Given the U.S. government’s dismal track record in safeguarding personally identifiable information, data security breaches involving body scan images are inevitable. The agency involved will, of course, profusely apologize, but the damage, the extent of which is potentially so great that it is difficult to truly envision, will already have been done.

There is some hope. If children undergo full body scans, the images obtained will constitute child pornography under current U.S. laws. Perhaps at least children will thus be exempted from the requirement to undergo full body scans at airports. But what about the rest of us? The answer is that it is up to you and me. If enough of us bombard our elected officials, particularly members of Congress, with our objections regarding full body scans at airports, perhaps they will sooner or later get our message and do something about it. One thing is sure, however—if we do nothing, our worst nightmares in terms of privacy infringement are bound to materialize.

Categories: Uncategorized Tags:

Using Wireless in the Air: Whatever Happened to Security?

If you have the same kind of job that I have, airplanes are no strangers to you. For better or worse (more often the latter lately), flying is a big part of life for many people, myself very much included. Part of what I consider unpleasant about flying is the fact that I have to sit very close to someone whom I do not know and who may not be very considerate at all (have you noticed all those uncovered sneezes lately?) for an extended period of time. Additionally, events, sometimes very important ones, transpire while one is in the air. Keeping up with them is almost impossible unless you pay for in-flight wireless services. These services not only help a flyer keep in touch with what is happening on the ground, but also are a good antidote for boredom. And, oh by the way, they also help people to become more productive on the job.
I’ve heard a few information security professionals say that the greatest security risk in using a computer in the air is the risk of a nearby passenger seeing what is displayed on a computer screen. True, this is a potentially serious threat, but what most people do not realize is that if someone uses wireless services in the air, chances are that person will be connected to an insecure IEEE 802.11 something wireless network. Anyone on the same plane with a laptop connection to the same wireless network or a WiFi-enabled phone can eavesdrop on everything that an in-flight wireless user sends or transmits. Consider the risk when there are 400 people on a jumbo jet! But the danger does not stop there—a malicious user can also attempt to access shares or possibly even to logon to any similarly connected system. Additionally, Emagined Security’s COO, Paul Underwood, has seen mindboggling in-flight wireless scenarios. In one of them, a user set up an in-flight wireless connection and then created a proxy to which other users on board could connect!
The point here is that security concerns about using wireless networks should not be limited to on-the-ground wireless networks. The same risks that occur in using such networks also apply to in-flight wireless networks. At a minimum, every user of in-flight wireless networks should apply the following security control measures:
1) Ensure your computer has a properly configured firewall running
2) Ensure that your computer is running anti-virus and anti-spyware, both of which are updated frequently
3) Use VPNs for all communications with your organization’s hosts
4) Use SSL or some other strong encryption method for connections to Web sites and mail servers
5) Check for open shares on your PC; protect shares (minimally with a difficult-to-guess password) if they do.
Or if you do not want to use all these measures, at a minimum connect to a VPN and then launch your email client or Web browser.
Hopefully, this blog entry will change your thinking about risks involved in in-flight connectivity. Assuming that you make changes in your in-flight use of wireless, you next ought to turn your attention to your organization’s information security policy and standards. Do they cover in-flight computer usage? If not, it may also be time to start planning and discussing necessary changes in both.
Conventional computing use involves many risks; wireless connectivity introduces even more. Whether you are using wireless on the ground or in the air, make sure you do not fall victim to wireless attacks.

Categories: Uncategorized Tags:

American Bankers’ Association Recommends Using Dedicated PC for Banking Transactions

Last week the American Bankers’ Association (ABA) recommended that small and medium-sized business adopt a special security measure, using a dedicated PC for Automated Clearing House (ACH) transactions, to protect against fraudulent transactions. This PC would be considerably safer than a normal one because, according to the ABA, because it would not be used for other purposes such as Web browsing and email, two activities in which the likelihood of a PC being compromised by attackers and malware increases considerably.

The ABA’s recommendation should not be limited to banking transactions, however. Once compromised, a PC should be considered completely insecure and unreliable. The probability of a given PC being compromised is high, especially if that PC has not been hardened. Numerous research studies have shown that an out-of-the-box Windows system connected to the Internet without additional security controls becomes compromised in less than 10 minutes. These considerations virtually mandate using a PC that is not subjected to the multitude of security risks that Web browsing and email functionality introduce only for financial transactions as well as for other more sensitive functions.

Small and medium size businesses can afford to buy dedicated PCs for banking and other business-related functions. A huge problem, however, is that users usually do not have this luxury; having different physical computers for different functions is usually not financially feasible. A college student is, for example, likely to be able to afford only one PC. Fortunately, virtualization technology offers some realistic help for everyday users in that different virtual machines (VMs) can be created for different functions. Two VMs could run Windows 7, but one of them could be used for financial and other transactions, whereas the other could be used for “normal” user activity such as Web browsing. This kind of use of virtualization offers numerous advantages*:

1. Multiple functions can co-reside on a single physical machine, thus precluding the need to buy, set up and maintain a second one.
2. Each of the VMs could be rolled back to a known good state every time the physical machine is booted. If a VM were compromised, it could be restored to a previous, uncompromised state during boot.
3. If a standard configuration for VMs were prescribed by an organization’s standards, every new VM could be built according to these standards. Each VM would thus have a uniform configuration throughout the organization, thereby helping ensure that uniform security-related settings would be in place everywhere.
4. The ABA could design and build a “Gold Standard” VM to be used throughout the banking industry. This VM would help organizations achieve desired levels of security without having to allocate resources to determine desirable settings.

Virtualization is not very perfect from a security point of view. One of the greatest concerns is that all virtualization products have vulnerabilities that, if not patched, can result in numerous undesirable outcomes, one of which is the possibility (in certain virtualization products) of a perpetrator who gains privilege access to a guest VM being able to obtain privileged access to the host VM on the same physical machine. But assuming that risks inherent in virtualization are properly mitigated, virtualization can and does provide protection against fraudulent banking transactions as well as other types of incidents.

There is also another “poor man’s solution” for users to consider—using one browser (IE, Google, Chrome, or…) for financial transactions and other more sensitive purposes, and then a completely different browser for all other purposes. The virtualization solution I have proposed is really better from a security standpoint; if someone running as a privileged user uses a particular browser that has a cross site scripting vulnerability to connect to a malicious Web site, the game is over. Using a different browser for other functions will do no good if the operating system itself is compromised. But using different browsers is also a much more manageable solution for everyday users.

The ABA deserves considerable credit for its initiative in making such a good recommendation. The big question is whether banks will accept and implement it. After all, you can lead a horse to water, but you cannot make it drink…

* – Phil Hoffman deserves credit for informing me about virtualization benefits that I had not previously considered.

Categories: Uncategorized Tags:

The Recent Plane Bombing Attempt: Lack of Event Correlation Combined with Failure to Share Information

The U.S. Department of Justice recently charged a 23-year-old Nigerian with trying to blow up a Northwest Airlines airplane as the plane was close to landing on Christmas Day. The suspect, Umar Farouk Abdumutallab, reportedly claims to be an al-Qaida agent. The suspect allegedly went to a bathroom in the plane because he claimed he was sick. When he came back to his seat, he allegedly pulled a blanket over himself and then pulled out a syringe and used it to ignite explosives that he had in his underwear. According to accounts of the incident, the man’s pants and the side of the plane’s wall next to him caught on fire, but passengers and flight crew held him, took away the syringe and extinguished the fire.

The story of the attempt to blow up an airplane really has nothing to do with information security per se. Still, I chose to write about this event because it could and should have been prevented in the first place, and the lessons learned are very relevant to information security. What is incredible to me is that a little over four months ago the U.S. Central Intelligence Agency (CIA) had become aware that a Nigerian was possibly involved with terrorist circles in Yemen, although the man’s name was unknown at the time. Then three months ago Abdumutallab’s father went to the U.S, Embassy in Nigeria to report that his son was missing and to request help in finding him. The father also said that he believed that his son had ties to al-Qaida in Yemen. The CIA never put two and two together, so to speak—it was unable to correlate pieces of information that proved to be critical. President Obama reacted by saying:

“There were bits of information available within the intelligence community that could have and should have been pieced together.”

The fact that the CIA was unable to correlate the information it had received is not unique to the government arena. Organizations constantly receive fragments of information—that reconnaissance scans and probes from certain IP addresses occur, followed by attempts to exploit vulnerabilities, followed by unusual patterns of connections and/or anomalous system behavior. These organizations too often rely on point solutions such as individual firewalls, intrusion detection systems, and intrusion prevention systems to monitor network activity. In so doing they are unable to determine the context of events that occur. Dave Shackleford sums up this problem nicely in a SANS white paper available at

“In today’s dynamic threat and network environments, standalone Intrusion Detection/Prevention Systems (IDS/IPS) cannot protect against the ever-changing attacks and vulnerabilities. The reason: Standing alone, IDS/IPS lacks the context it needs to reliably distinguish an event from a non-event and prioritize protection based on business-critical rules. Context can be helpful in determining when an event indicates a security incident, such as a deliberate remote buffer overflow exploit attempt, as well as when events are nothing more than false positives, such as poorly configured applications sending out broadcast packets.”

Perhaps even worse is the fact that the CIA kept the information about the suspect that it obtained completely to itself. Had the CIA shared this information with the Department of Homeland Security (DHS), the State Department, and other U.S. government entities, the fact that the suspect had an active U.S. visa and that he was on the passenger list for an upcoming flight to the U.S. almost certainly would have been discovered, in all likelihood leading to a precautionary cancellation of his visa and/or including him on a no-fly list. Additionally, the probability that somebody in other agencies or departments would have correlated the various bits of information obtained about the suspect would almost certainly have increased substantially.

The problem of lack of information sharing within government circles is anything but a new problem. But lack of information sharing is by no means limited to within the government. Commercial and other entities also fail to share critical information about cyberattacks that they have experienced, thereby depriving other organizations of the ability to recognize and defend against new as well as persistent types of attacks and hampering law enforcement efforts. The creation of numerous Information Sharing and Analysis Centers (ISACs) within various verticals has helped some, but has by no means solved the lack of information sharing problem.

Stating problems without solutions is a poor practice, so I’ll propose a solution to one major problem that I have discussed in this posting. How about a Presidential edict that mandates firing any government employee who is the head of any government agency or department that fails to share critical information affecting U.S. interests (such as countering terrorism) with other agencies and departments that need this information? If such an edict were put in place, I’d bet that heads of agencies and departments would do everything they could to ensure that critical information was shared. President Obama, are you listening?

Categories: Uncategorized Tags:

Information Security Predictions for 2010

It’s 2010 now, and as I’ve done in the past, I’m going to make a few predictions concerning information security-related events and changes that I believe will occur in 2010.

First, I predict that at least one data security breach that is bigger than the Heartland Payment Systems incident in terms of the amount of personally identifiable information (PII) compromised and money lost will occur in 2010. Financially-motivated perpetrators know that there is far more money to be made from their sordid activity then they have been making (and many of them are already making millions of US dollars annually). They have been advancing and perfecting their attack methods for years. In contrast, most organizations continue to devote pathetically few resources to mitigating security-related risks. Worse incidents than the one Heartland experienced are thus inevitable.

Second, I predict that blended threats will continue to increase in prevalence and magnitude. The train bombing in Madrid several years ago was a classic example of a blended threat where the phone system and explosives were used in conjunction with each other, resulting in massive loss of human life. Lamentably, the Internet will increasingly be used in connection with terrorist activities and ironically, terrorists will use better security practices (e.g., data encryption, strong authentication, and so on) than will governments and commercial organizations. This trend will persist well beyond 2010.

Third, I predict that the Obama administration will, like the administrations before it, continue to pay lip service to cybersecurity, but will not do much about it in 2010. I am not really criticizing the current administration. It is impossible to launch and sustain too many initiatives simultaneously, and initiatives such as rescuing the economy and fighting terrorism have a much higher priority than fixing the cybersecurity problem that exists in the U.S. right now. If and when some of the major initiatives succeed, the likelihood that the President will turn more attention to cybersecurity will increase substantially, but I do not expect this to happen in 2010.

Fourth, I predict that people and organizations will continue their current trend to rush wildly into “cloud computing” and social networking without much if any thought about security considerations. Massive security incidents such as compromises of entire customer databases, prolonged disruption of critical business processes, and worm outbreaks on major social networking sites such as MySpace and FaceBook that make these sites unusable or shut them down entirely will occur in 2010.

Fifth, I predict that in 2010 the music and film industry will continue to make major advances in their war against piracy. Court rulings and legislation will give them greatly expanded power to snoop on users and force Internet service providers to turn over information about users’ usage patterns. Privacy advocacy groups will react by raising more money to fight music and film industry-initiated court cases and by increasing public awareness of excesses by these industries.

Sixth, I predict that in 2010 the PCI Consortium will tighten the PCI-DSS requirements to address current gaps resulting from the Consortium’s very information-centric approach to cardholder data security. I am not being critical of this approach—it is, after all, the most logical approach when information is the “crown jewel” that needs to be protected. But in focusing on information per se, less attention is paid to other threat vectors such as hosts that do not store, process or transmit cardholder data, but which nevertheless could be used as a pivot point to attack hosts that do. Additionally, the Consortium will mandate continuous rather than annual compliance with the PCI-DSS.

Finally, I predict that the information security job market will start to improve in 2010 primarily as the result of senior management within organizations either directly experiencing or reading about the huge and costly incidents that will occur. The improvement in the job market is likely to be preceded by increased demand for information security consultants to fill specific needs. Money for permanent hiring will then become available as the economy starts to improve. I also foresee that information security management skills and experience will be particularly sought-after; good information security management is the critical differentiator between an effective and ineffective security practice.

I could make more predictions, but after all, psychologists say people can hold only five plus or minus two chunks of information in their short term memory, and I’ve presented seven predictions. And if nothing else, I really hope that my predictions will fare better than the Gartner Group’s predictions have over the years! Only time will tell, however.

Categories: Uncategorized Tags: