Richard J. Bocchinfuso

I’ve spent the last year building and hardening policies using the ITIL (Information Technology Infrastructure Library) framework (Links to an external site.)Links to an external site. as my team I and I worked on a SOC 2 (Links to an external site.)Links to an external site.audit and certification. Our ITSM (Information Technology Service Management) (Links to an external site.)Links to an external site. platform is ServiceNow (SNOW) (Links to an external site.)Links to an external site.. The ServiceNow platform is responsible for managing and automating all aspects of service management for us and our customers, this includes incidents, requests, changes, problems, knowledge, etc… We use a ton of tools in our development and operations (DevOps) toolchain to drive agile development models, automated testing, automated deployments, measurement, self-healing, etc…

Source:  Rich Bocchinfuso

During our system design, we made a deliberate decision to separate our ITOM (Information Technology Infrastructure Operations) platform from our ITSM platform.  Our element management tools, our instrumentation, out ITOM tooling which manages event correlation, alert management and escalation and out ITSM platforms are all decoupled.  We had a good reason for doing this which focused on flexibility, the best tool for the job with the ability to integrate.  Fast forward a few years and we may look to lever ServiceNow ITOM because it is quickly elevating to a best-in-class ITOM tool.

I found it interesting that Ronda R. Henning defined an “incident” as anything that is abnormal on a system. When I think about an incident using the ITIL framework definition I think about as something which has the potential to cause a service disruption. While abnormal activity may trigger an event or an alert this does not mean an incident will be created. The example of Henning provides of Joe being on the system at midnight might trigger an event or an alert, but this event or alert would be trapped by our ITOM system, identified as benign and would not be elevated to an incident.

A simple graphical representation  of the ITIL service management framework:

Source:  Rich Bocchinfuso

In this weeks lecture, Rhona R. Henning also mentions syslog and event logging. This is often referred to as security information and event management (SIEM) (Links to an external site.)Links to an external site.. The idea is to aggregate and analyze events across the enterprise to gain better clarity on what is occurring, the root cause, etc. As an Open Source proponent, I have built this capability on the ELK (Elasticsearch, Logstash, and Kibana), but Splunk is also a popular SIEM.  SIEM has become in intergral IT operations tool.

For continuous monitoring, specific to security we use a number of tools ranging from SIEM, to Lynis (Links to an external site.)Links to an external site. system audits to OpenVAS (Links to an external site.)Links to an external site. and Qualys (Links to an external site.)Links to an external site. vulnerability scans. We use Common Vulnerabilities and Exposures (CVE) (Links to an external site.)Links to an external site. and Common Weakness Enumeration (CWE) classifications to make decisions on criticality and reaction time.

Source:  Rich Bocchinfuso

We have witnessed an evolution that has evolved from traditional infrastructure –> converged infrastructure –> hyper-converged infrastructure –> composable infrastructure, this evolution has dramatically improved our ability to instrument, monitor, automate and selfheal infrastructure.  (Thome, 2017)

Traditional Infrastructure: Decoupled discrete infrastructure consisting of servers, storage, and networking components.
Converged Infrastructure: An integrated solution which bundles compute, storage and networking into a system which addresses a particular workload or solution such as virtualized desktops or a database application.
Hyper-converged Infrastructure: Compute, storage, and networking integrated into a single solution. Hyper-converged infrastructure is often driven by integrated hardware and software-defined technologies.
Composable Infrastructure: Build on converged and hyper-converged technologies thought enhanced software-defined intelligence, unified API (Application Programmable Interfaces) to “compose” and automate the infrastructure.

One of my favorite visualizations of self-healing infrastructure is the Netflix vizceral (Links to an external site.)Links to an external site. network visualization of the networking automagically detecting a failure and rerouting traffic.

I mention this because, in contrast to what Ronda R. Henning states in this weeks lecture, I believe the advent of composable infrastructure and the increased use of machine learning (ML), deep learning (DL) and artificial intelligence (AI) has moved us closer to being able to automagically do more.

Composable infrastructure has given way to A/B testing (Links to an external site.)Links to an external site., blue-green deployments (Links to an external site.)Links to an external site., rapidly iterating and continuous delivery (Links to an external site.)Links to an external site. over rigid release cycles. These advances IMO are largely attributable to composable infrastructure, some call this software-defined. Composable infrastructure is fundamentally driven by software, the agility of software-defined everything, exposed APIs, a focus on usability and orchestration has dramatically changed how we consume, instrument, monitor and selfheal information technology infrastructure.

Lastly, PagerDuty released their Incident Response framework and process (Links to an external site.)Links to an external site. to the Open Source community and it provides a great starting point to begin for building an Incident Response framework.

References

Continuous Delivery. (n.d.). Retrieved September 27, 2018, from https://continuousdelivery.com/

Fowler, M. (2010, March 1). Bliki: BlueGreenDeployment. Retrieved September 26, 2018, from https://martinfowler.com/bliki/BlueGreenDeployment.html

Greene, J. (n.d.). The Essential Guide to ITIL Framework and Processes. Retrieved September 26, 2018, from https://www.cherwell.com/library/essential-guides/essential-guide-to-itil-framework-and-processes/

Henning, R. R. (n.d.). Security Operations, Part 2. Retrieved September 27, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU04VjEvRGF0YS9tb2R1bGUueG1s

Netflix. (2016, October 28). Vizceral. Retrieved September 26, 2018, from https://youtu.be/JctsPpgEsVs

Netflix. (2018, September 05). Netflix/vizceral. Retrieved September 26, 2018, from https://github.com/Netflix/vizceral

PagerDuty, P. (n.d.). PagerDuty/incident-response-docs. Retrieved September 26, 2018, from https://github.com/PagerDuty/incident-response-docs/blob/master/docs/index.md

Rawat, S. (2018, June 08). A/B Testing – The Complete Guide | VWO. Retrieved September 26, 2018, from https://vwo.com/ab-testing/

Rouse, M. (n.d.). What is security information and event management (SIEM)? – Definition from WhatIs.com. Retrieved September 26, 2018, from https://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM

SDxCentral. (n.d.). What is Software Defined Everything (SDx) – Defined. Retrieved September 26, 2018, from https://www.sdxcentral.com/cloud/definitions/software-defined-everything-sdx-part-1-definition/

Thome, G. (2017, June 29). Just What the Heck Is Composable Infrastructure, Anyway? Retrieved September 26, 2018, from https://www.itprotoday.com/business-resources/just-what-heck-composable-infrastructure-anyway

This past week was an Interesting week in tech, with the Facebook security breach and Jim Cramer in San Francisco @ Dreamforce interviewing some of the silicon valley goliaths.  One interesting interview I thought I would share was Cramer’s interview with Kevin Mandia, CEO of FireEye.

https://www.cnbc.com/video/2018/09/25/fireeye-ceo-every-cyberattack-is-related-to-geopolitical-conditions.html (Links to an external site.)Links to an external site.

Andrew, we live in interesting times where it seems just about every enterprise has the need to adopt an Agile approach and a DevOps culture.  The move/fail fast paradigm seems to be powering the innovators in the tech industry, but let’s face it, there are a few FANNG (Links to an external site.)Links to an external site. companies.  There is a ton of pressure to move and innovate faster, and many believe the path to success is to mimic the Netflix culture, easier said than done.  Most organizations have a legacy to tend to which impedes the pivot.  The “Subscription Economy” (Links to an external site.)Links to an external site. and the age of cloud and cloud-first strategies is upon us, but we are starting to see some equilibrium and a shift to a “cloud-smart strategy”. (Staff, 2018)

References

Heath, N. (2015, August 24). Should you follow Netflix and run your business from the public cloud? Retrieved September 30, 2018, from https://www.techrepublic.com/article/should-you-follow-netflix-and-run-your-business-from-the-public-cloud/

Staff, R. (2018, September 27). Moving Beyond a ‘Cloud First’ Strategy | VMware Radius. Retrieved September 30, 2018, from https://www.vmware.com/radius/moving-beyond-a-cloud-first-strategy/?src=so_5a314d05ddb83&cid=70134000001SkJd

Scott, careful with all that talk about security only being there to keep the bad guys out and the fact that it’s not if you get attacked, but rather when because you’re sounding like Richard Stallman (Goffman, 2018), not a bad thing. 🙂

Philosophically I agree with many of Stallman’s views, but security is not just about the bad guys. When I think about IAM (Identity and Access Management) (Stroud, n.d.). I think about least privilege, protecting the system from human error, logging, auditing, etc… as much if not more than I think about authentication as a padlock.

I think we will continue to see machine learning play a role in advancing automated incident response, where the plan, process, and procedures are codified, where we take an algorithmic approach to response. Moving to an open model where were the system governs the response aids us in governing transparency because IMO the term “disclosure” is open to far too much interpretation for my liking and this is not helping the situation.

References

Goffman, K. (2018, January 11). Richard Stallman : Last of The True Hackers? (MONDO 2000 flashback 1989). Retrieved September 30, 2018, from http://www.mondo2000.com/2018/01/11/richard-stallman-last-true-hackers-mondo-2000-flashback-1989/

Stroud, F. (n.d.). IAM – Identity and Access Management. Retrieved September 30, 2018, from https://www.webopedia.com/TERM/I/iam-identity-and-access-management.html

Carmen, do you think the two individuals at Uber acted unilaterally?

• Fact:  Many organizations pay hacker ransom demands.
• Fact:  Many organizations who pay hacker ransom demands and get their data back don’t disclose the hack.  Those who hack for financial gain (e.g., ransomware) are an honorable bunch because if they didn’t deliver, organizations would stop paying the ransoms and the business of ransomware would collapse.
• Fact:  Disclosure of a hack impacts the hacked organization’s reputation so debates within organizations around the globe are happening.  These debates include to disclose or not disclose, what constitutes disclosure, how nebulous can the disclosure be, when to disclose, etc… The answers to all these questions more often than not are to disclose at little as possible, to be as nebulous as possible and to disclose at a time when the disclosure is least damaging.

Uber is not alone in how they disclosed.  Equifax (Isidore, 2017) delayed their breach disclosure while insiders participated in a stock sell-off.  What happened?  Absolutely nothing, but somehow Elon Musk is demonized because he tweets that he has secured funding to Tesla private.  Right and wrong isn’t a game of inches, but influence often is.  In Elon Musk’s case, the short-sellers controlled the influence.

References

Isidore, C. (2017, September 8). Equifax’s delayed hack disclosure: Did it break the law? Retrieved September 30, 2018, from https://money.cnn.com/2017/09/08/technology/equifax-hack-disclosure/index.html

“Reactive or Proactive?”

As technology professionals, and astute human beings I believe that we always strive to be proactive (at least I hope so), honestly in today’s world to say you have a reactive strategy to security is almost taboo. We see this in all aspects of IT, the sysadmin (operations team) and developer role have been collapsed into a DevOps (Links to an external site.)Links to an external site. or SRE (Site Reliability Engineering) (Links to an external site.)Links to an external site. role with a focus on instrumentation, analysis, automation, and self-healing. We are seeing these DevOps philosophies make their way into the security realm despite the cloak and dagger InfoSec folks. Relying on reactive strategies where action only occurs following an incident has become almost unacceptable. Yes, we still have incident response plans, but the plan is to proactively thwart incidents avoiding having to enact the dreaded incident response plan. We instrument, monitor and automate to avoid reactive response. From an evolutionary perspective, the automation takes the longest. Some might say that if you are actively hunting for threats you have a proactive approach, but I would say that if you don’t automate analysis and response you still have a reactive process. (Contributor, 2017)

Instrumentation, monitoring, thresholding and automating response is a technique we try to use to avoid the reactive fire drill. When we think about what it takes to build a proactive system, it requires commitment. To build a system which continuously learns is not easy, it requires massive data sets, anomaly detection, and automated response. In the area of security Machined Learning (ML), Deep Learning (DL) and Artificial Intelligence (AI) will play a critical role in the transition from reactive to a proactive response which can aggregate and analyze variables on multiple vectors and infer intent. (Lomonaco, 2017)

When we look at security we can see attacks which have identifiable variables and thresholds managed proactively, an example is DDoS attack mitigation. For instance, a cloud provider known as OVH has built a robust DDoS attack mitigation strategy. This strategy depends on instrumentation, real-time traffic monitoring and analysis, anomaly detection and automated response.

Attack Detection

Mitigation

The real-time analysis identifies the attack traffic, this traffic is redirected to the VAC while legit traffic flows to the target server. As systems continue to mature we will see more complex behavioral patterns analyzed in realtime, and inference engines will make decisions about how to proactively respond. The market is moving very fast right now.

Side Note: If you have not watched the Joe Rogan interview with Elon Musk, you should. Musk’s discussion on how AI will become an extension of the cortex and limbic system once we solve the data rate problem is awesome.

References

Contributor. (2017, July 24). The Shifting Data Protection Paradigm: Proactive vs. Reactive. Retrieved September 19, 2018, from https://devops.com/shifting-data-protection-paradigm-proactive-vs-reactive/

HelpSystems. (2016, August 19). Is Your IT Systems Management Reactive or Proactive? Retrieved September 19, 2018, from https://www.helpsystems.com/blog/your-it-systems-management-reactive-or-proactive

Lomonaco, V. (2017, October 04). Why Continual Learning is the key towards Machine Intelligence. Retrieved September 19, 2018, from https://medium.com/@vlomonaco/why-continuous-learning-is-the-key-towards-machine-intelligence-1851cb57c308

Scott, as I think about my day-to-day and our legacy security practices which some might consider “proactive”, tend to be more routine maintenance activities than “proactive” action based on instrumentation and metrics which provide identification of anomalous behavior and use inference to proactively mitigate a threat. An example is our security patching process which we use:

Using the Common Vulnerability Scoring System (CVSS) (Links to an external site.)Links to an external site. we have a process for patching the threat, but what if this is a zero-day exploit? The only path to a proactive approach is baselining normal behavior, instrumentation, anomaly detections, inference and some action (automated proactive response).

I like Andrew’s automobile analogy, I just struggle with calling an oil change a proactive security practices.  The use of audit tools like Lynis (Links to an external site.)Links to an external site. and vulnerability audit tools like OpenVAS (Links to an external site.)Links to an external site. may be akin to the oil change, but when I think proactive I think about a collision avoidance system or an autonomous vehicle, these systems are able to take input in realtime and make proactive decisions.

FWIW, I have yet to see a situation where cyber insurance has prompted an organization to improve their security posture. Adding insurance just changes the organizational risk equation, IMO not in favor of improved security, although I suppose it does help with the regulation and enforcement of a baseline.

Scott, I think you make a great point about defining proactive and reactive. I agree with your definitions, I think where I struggle is the variance in acceptable “proactive” approaches. As we learned this week, much of this is dependant on best practices and best effort which defined by relative measures within a given industry. With just about every industry today gathering and storing personal data I think it may be time to have a basic requirement for a proactive approach, hunting down that which you can’t see, when you don’t know what you are looking for requires a level of sophistication that many industries have not adopted. Regulations like GDPR are imposing certain requirements regarding privacy on just about every industry.

I think of term life insurance as a reactive plan. I have a reactive plan should the unpredictable happen, because anything can happen, but hopefully I am being proactive enough to avoid needing term life insurance. 🙂

Monique, good point on the ineffectiveness of reactive practice when it comes to APT (Advanced Persistent Threats). In the world of APTs we can’t react fast enough, because while we’re busy reacting the attackers are continuing their crusade. We’ve seen attacks like the attack that took place against Code Spaces’ (Goldman, 2014) where a DDoS attack enacted a reactive mitigation plan, while the Code Spaces’ was busy reacting to the DDoS attack the attackers were busy gaining control of Code Spaces’ AWS EC2 control panel. The attacker essentially ransomed all Code Spaces’ digital assets and put them out of business.

References

Goldman, J. (2014, June 23). Code Spaces Destroyed by Cyber Attack. Retrieved September 23, 2018, from https://www.esecurityplanet.com/network-security/code-spaces-destroyed-by-cyber-attack.html

First off, my apologies for my late post this week, I spent this week in France with a customer, a large U.S. based manufacturing company who eight months ago acquired a France based manufacturing company in the same market to grow their business in Europe. As a U.S. based company, operating from the U.S. there were many challenges that they faced, information technology is often an area that organizations immediately look to post-acquisition to drive synergies and efficiencies, but when a U.S. based company enters the European market this can be significantly more complex. The reason I mention this is because the legislation and cyber law differences between the U.S. and the E.U. can make this complex and pretty challenging. Regulations like GDPR (E.U. General Data Protection Regulation) (Palmer, 2018) is an example of one regulation that the E.U. imposed to protect data privacy. There are plenty of other regulations like PCI, HIPPA, SOX, etc. that all need to be considered in the context of GDPR, this is a real challenge for many organizations.

A side note on why I was late this week, and maybe some travel advice for anyone flying from the New York area (EWR) to Paris (ORY).  As a million mile flyer on United, I more often than not fly United, although I dislike the airline immensely, I was a loyal Continental flyer for a very long time and it’s hard to give up airline status when you travel 100K+ miles a year. My typical process week after week is to work while I travel, well this trip I flew La Compagnie, a small French boutique airline, with two 757s in their fleet flying between Newark (EWR) <-> Paris and Newark (EWR) <-> London, the flights are all business class at a price below United economy fares, seating only 74 passengers, with good service the only downside (for me at least) is no WiFi. Anyway, sorry for the tangent, but just wanted to give some background.

In this weeks Legislation lecture, Ronda R. Henning states that “Legislation, the legal foundations of cyberlaw, lag technology.” (Henning, n.d.) She goes on to say that most legislators are technologically illiterate; that most cyberlaw is derived from legacy mediums (e.g. – print) and this legacy legislation has been applied to cyberlaw. Henning also discusses the topic of authenticity, maintaining chain of custody, and being able to demonstrate through metadata that digital assets have not been tampered with. In the past, we have discussed hashing as a method of creating a digital signature, hashes like MD5, SHA-256, etc. can create a digital signature of a file which can be used to validate data integrity and authenticity. (Simon, 2013)

I think a telling and interesting aspect of cyberlaw and “Legal Obligations” when it comes to the relative measure of obligations, meaning that things like “best effort” and “industry standard” are defined by relative measures of what others are doing within a given industry or discipline.  What this means is there are frameworks for governing how we maintain and audit our security posture, but what we need to do is far more fluid.

Looking at the IBFS (Intergalactic Banking and Financial Services) case study, while fictitious, we can see requirements and challenges which are likely common across the finance and banking industry which is steeped in legacy and highly regulated. We can see the need to balance cost and capability, to increase agility and elasticity via partnerships and outsourcing and to do this while being compliant with regulations which govern the banking and finance industry. As we look at the emergence of game-changing technologies and such as the emergence of blockchain and cryptocurrencies, applying legacy legislation becomes more difficult. While copyright example moved from print media to video content to digital assets, not perfectly but fairly easily, applying legacy financial regulations to technologies like blockchain and cryptocurrencies will not be as easy. I will be interesting to see how regulatory bodies adapt, the idea of legislators being technology illiterate will probably need to change.

Cyberlaw is very complex, we can to some degree understand aspects of cyberlaw such as copyright and regulations, but when we add things like the Patriot Act and the NSA to the mix things get really complex. (Diamond, 2015)

We have discussed security frameworks like NIST, ISO 27001, SABSA and SSAE-16 and I have looked at all these frameworks, which are primarily process driven frameworks. We learned this week that protecting an organization is about best effort, best practices, and industry standards, I use the Center for Internet Security (CIS) (Links to an external site.)Links to an external site. as my guide for industry standards and best practices is the. CIS provides best practices, benchmarks, and toolsets and they do this all in the context of the platform you are securing, Windows, Linux, Hypervisor, etc.

References

CIS Center for Internet Security. (n.d.). Retrieved September 11, 2018, from https://www.cisecurity.org/

Diamond, J. (2015, May 23). Patriot Act debate: Everything you need to know – CNNPolitics. Retrieved September 11, 2018, from https://www.cnn.com/2015/05/22/politics/patriot-act-debate-explainer-nsa/index.html

Henning, R. R. (n.d.). Legislation. Retrieved September 11, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s Florida Institute of Technology

Palmer, D. (2018, May 23). What is GDPR? Everything you need to know about the new general data protection regulations. Retrieved September 11, 2018, from https://www.zdnet.com/article/gdpr-an-executive-guide-to-what-you-need-to-know/

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Simon. (2013, May 29). Verifying File Authenticity via Hashing. Retrieved September 11, 2018, from https://www.anotherwindowsblog.com/2013/05/verifying-file-authenticity-via-hashing.html

Yacine, a very interesting and thought-provoking post. I may be a bit of a conspiracy theorist but I think operating under the premise that Ronda R. Henning touches on this week, in regards to wiretapping or eavesdropping and how living in the digital world alters information intercept. I found it really interesting that Ronda R. Henning pointed out Skype of wireless or VoIP. She points out CDRs (call detail records), what the industry refers to as metadata. I think or metadata as the data that matters, if I have the metadata, I likely have a path to all the data. While the Patriot Act has been reeled in (at least publically) by the Freedom of Information Act, we still see the government looking to take control of communication mediums, most recently the movement to nationalize the 5G network. These are complex issues, the nationalization of anything scares me a little, but on the other hand, I think it would be naive not to consider the complexity of maintaining order in a wireless world where information moves free and frictionless over the airwaves, on the other hand, if it’s on the airwaves it can be intercepted by anyone who can decode it. I reminded of a scene from the movie Heat.

We should pay attention to the fact that the FBI broke the encryption on the iPhone. They politely asked Apple to assist, when Apple said not they figured out how to crack it. The best way to operate is to assume someone is always watching.

References

ACLU v. FBI – FOIA Case for Records Relating to Patriot Act Section 215. (2014, October 6). Retrieved September 16, 2018, from https://www.aclu.org/cases/aclu-v-fbi-foia-case-records-relating-patriot-act-section-215

Henning, R. R. (n.d.). Legal Obligations. Retrieved September 16, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU01VjEvRGF0YS9tb2R1bGUueG1s

Miller, D. (2017, October 03). FBI allowed to keep details of iPhone hacking secret. Retrieved September 16, 2018, from http://www.abc.net.au/news/2017-10-02/fbi-to-keep-details-of-san-bernardino-iphone-hacking-secret/9007400

Vazquez, M., Berlinger, J., & Klein, B. (2018, January 30). FCC chief opposes Trump administration 5G network plan. Retrieved September 16, 2018, from https://www.cnn.com/2018/01/28/politics/trump-nationalize-5g/index.html

“Risks to the Enterprise.”

According to Ronda R. Henning, risk is usually expressed as the probability of an occurrence.  Enterprise risk metrics the probability of harm to the enterprise as a result of disclosure, modification or downtime.

A key aspect of protecting data in the enterprise is assessing the situation, categorizing aspects of the enterprise and applying the proper protections and/or risk mitigation strategies.  We know that the threats are everywhere, the question is what is the threat posed to a specific enterprise, what is the probability that a vulnerability will be exploited and what is the impact of the exploit.  A quick visit to NORSE Corp and fear will have you believing you should disconnect from the internet, disable all ports, prohibit removable media, only use wired connections, etc… but there is security and then there is productivity prohibition.

(Click the image above for live attack map)

Some call this usable security, the text highlights this as “dealing with the conflicting objectives” where the security protocols need to balance security, cost, and usability. (Sherwood, Clark, & Lynas, 2005, p. 27) Making a system secure, but still usable is a complex issue the security architect faces, make the security too tight and humans will look to work around the system, make the system too lose and increase risk.  A complex problem indeed.

One of my favorite examples of usable security and human-computer interaction is highlighted in the course intro to Usable Security on Coursera (Links to an external site.)Links to an external site.. BTW – This is a great course, I highly recommend it.  I bet you can’t think of how a styrofoam cup could be a security threat and how a styrofoam cup could violate HIPPA compliance.  Watch the video above, it’s short and enlightening.

While living in a connected world can be a scary thing, each of us balance risk vs. reward each day, every time we use an ATM or online bill pay system we make the decision that the reward is worth the risk, in most case this for the consumer this reward is convenience.  We also balance risk vs. reward when we think about what password we will use to secure our information, should we use MFA, should we encrypt our data, etc… These personal decisions are similar to the decisions that are made within the enterprise, for example, I use strong passwords eight to ten characters in length, these passwords contain upper and lower case letters, numbers and special characters, they are not dictionary words or leet (Links to an external site.)Links to an external site. passwords 100% of the time, I don’t use twenty character passwords because usability diminishes, the risk vs. reward model just doesn’t work for me.  The password paradigm is used everywhere, email, bank accounts, etc… As things progress up my personal security stack I apply my password best practices and add MFA, a good example here is my AWS login.  Lastly, if data is super sensitive I apply an encryption scheme which requires a passphrase and a 256-bit encryption key.

It’s important to remember that even what may be perceived as the tightest security protocols still contains vulnerabilities.  From Stuxnet (Links to an external site.)Links to an external site. to Heartbleed (Links to an external site.)Links to an external site. we can see how even what is thought to be the securest possible protocols can be thwarted, these systems and protocols were by humans, making them exploitable by other humans.  The emergence of the APT (Advanced Persistent Threat) (Links to an external site.)Links to an external site. has focused the attackers on specific objectives, these attacks are not being perpetrated by high school student looking to change a grade, but rather a nation-state looking to engage in cyber warfare.

These attacks are complex, one of my favorite stories is the story of AMSC (aka American Semiconductor) (Links to an external site.)Links to an external site. who was nearly destroyed when they had intellectual property stolen via old-school corporate espionage.  Who could fathom this story, but if the source code for the PM3000 had this sort of value to AMSC maybe providing an individual located in Austria with access to the source code tree was not the brightest move.  Today we see the FAANG (Links to an external site.)Links to an external site. (Facebook, Amazon, Apple, Netflix, and Google) type companies rely on the volume of code and dependencies to protect their intellectual property, these companies have a level of scale, but this isn’t the case for every company.  Another story that I like is the story of Code Spaces or as InfoWorld titled the article “Murder in the Amazon cloud” (Links to an external site.)Links to an external site., this company had their AWS root account hijacked and all their AWS services being held for ransom, when Code Spaces did not pay the ransom the attackers deleted all their EC2 instances, EBS volumes, snapshots, AMIs and S3 buckets and put Code Spaces out of business.  We know that the attacker used a DDoS attack as a smokescreen but we don’t know how they actually gained access to Code Spaces’ AWS console, but they did. We are seeing this more and more, as organizations open source more software, developers check their code into public Git repositories and they leave behind artifacts that expose credentials, like API keys.  Tools like truffleHog (Links to an external site.)Links to an external site. can crawl git repositories for secrets, digging deep into commit history and branches, finding secrets accidentally committed.

Risk management is iterative, a big mistake is the belief that a security posture is established and the posture that was established on day one is the same posture require on day one hundred.  A framework like NIST (Links to an external site.)Links to an external site. can assist in ensuring that risk is continually evaluated, classified and prioritized.  Security controls and systems are evaluated and monitored to ensure that the security controls (technical, management and operational) are adjusted as needed.

There are numerous frameworks which can help with assessing and evaluating risk by providing a way for an organization to assess their entire system, including people, process and technology.  Some framework examples include:

• NIST (National Institute of Standards and Technology) (Links to an external site.)Links to an external site.:  A subdivision of the U.S. Department of Commerce.  NIST works in conjunction with ISO27001. NIST focuses on covering the entire security lifecycle, this is accomplished by breaking the security controls into 19 families of requirements and categorizes the controls as technical (technology), management (people) or operational (process).
• ISO 27001 (Links to an external site.)Links to an external site.:  Like NIST ISO 27001 breaks security considerations into three categories, organizational, technical and physical.  ISO 27001 relies on audits as the mechanism to assess and evaluate, because of this it tends to be less iterative than the NIST framework.
• SABSA (Sherwood Applied Business Security Architecture) (Links to an external site.)Links to an external site.:  Links security to business analysis models, focusing on how the business functions.

(Source: Sherwood, Clark, & Lynas, 2005, p. 43)

• • SSAE-16 (Links to an external site.)Links to an external site. and SAS-70 (Links to an external site.)Links to an external site.
    •  (Links to an external site.)Links to an external site.As a side note, I just finished a SOC 2 (Links to an external site.)Links to an external site. audit. It took about a year to get all the processes and procedures right and adhered to so we could pass the audit.  Lots to share here.  I will try to weave into our weekly discussions, should get easy once we get to week five and incident response.

Realizing that security is evolutionary is important, that static protocols are unlikely to thwart modern attacks, that AI/ML may hold promise for intelligent and adaptive threat protection and response, but also realize that attackers have access to all the same technology and can create adaptive attacks using attack vectors which were inconceivable just ten years ago.  We see this with projects like deephack (Links to an external site.)Links to an external site. and a ridiculously low barrier to entry for things like cloud-based GPUs for password cracking (Links to an external site.)Links to an external site..  IMO, vigilance, a commitment to iterate and mitigation are the keys to reducing risk in the enterprise, we may not be able to keep everyone out, but keeping them in is a viable strategy.  All too often it seems we focus more on checking the boxes of regulatory bodies and not enough time on actually securing our systems.

While the ability to flash a slide filled with your security credential logos probably looks impressive a developer in most cases can still publish keys or credentials on GitHub (Links to an external site.)Links to an external site. at which point all bets are off.  In the era of cloud computing one commit to GitHub that contains a snippet of code like the below could be the end.

References

Clark, J. (2015, December 04). Hacker uses cloud computing to crack passwords. Retrieved September 5, 2018, from https://www.zdnet.com/article/hacker-uses-cloud-computing-to-crack-passwords/

Collins, K. (2016, May 04). Developers keep leaving secret keys to corporate data out in the open for anyone to take. Retrieved September 5, 2018, from https://qz.com/674520/companies-are-sharing-their-secret-access-codes-on-github-and-they-may-not-even-know-it/

Dxa4481. (2018, August 27). Dxa4481/truffleHog. Retrieved September 5, 2018, from https://github.com/dxa4481/truffleHog

Henning, R. R. (n.d.). Frameworks. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU00VjEvRGF0YS9tb2R1bGUueG1s

Henning, R. R. (n.d.). Risk-Based Security. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU0zVjEvRGF0YS9tb2R1bGUueG1s

Osborne, C. (2017, January 09). GitHub secret key finder released to public. Retrieved September 5, 2018, from https://www.zdnet.com/article/trufflehog-high-entropy-key-hunter-released-to-the-masses/

Sears, C., & Isikoff, M. (2015, November 2). Chinese firm paid insider ‘to kill my company,’ American CEO says. Retrieved September 5, 2018, from https://www.nbcnews.com/news/world/chinese-firm-paid-insider-kill-my-company-american-ceo-says-flna6C10858966

Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.

Stahl, L. (2016, January 17). The Great Brain Robbery. Retrieved September 5, 2018, from https://www.cbsnews.com/news/60-minutes-great-brain-robbery-china-cyber-espionage/

Venezia, P. (2014, June 23). Murder in the Amazon cloud. Retrieved September 5, 2018, from https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html

Sharing this because I have shared many classes with many of you and we have often talked about how enterprises balance security investments vs. the cost of an exploit.  I have argued in the past and continue to argue that many organizations focus on JES (Jest Enough Security) to satisfy regulators, insurance companies, etc… The focus is not on securing personal information, but rather on reducing corporate risk, this is just another example of why.

https://techcrunch.com/2018/09/08/equifax-one-year-later-unscathed/ (Links to an external site.)Links to an external site.

Scott, always a good read, although I do have a bit of an issue with making the word “hacker” synonymous with “the big bad wolf”. 🙂 The “hackers” of the Homebrew Computer Club (Links to an external site.)Links to an external site. would probably take issue with this as well, folks like Ed Roberts who built the Altair, the hardware platform that gave birth to Microsoft and Steve Wozniak (aka Woz) who of course designed and developed the Apple I.

Hackers are individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes. Now I do understand the modern day (security) hacker colloquialism, so we have now turned what used to be a hacker culture (Links to an external site.)Links to an external site. into a maker culture (Links to an external site.)Links to an external site. but they are essentially the same thing.

Furthermore, even if we stay with the colloquial definition of “hacker” I am not sure that white hat hackers (Links to an external site.)Links to an external site. would appreciate being called “the big bad wolf” but then again maybe they are “the big bad wold” just a sanctioned wolf.

I couldn’t agree more, nation-state hacking is modern-day warfare, waged int he depths of cyberspace with digital assets and information as the objective. Stuxnet is a great example and the Stuxnet virus was just one virus in a massive U.S. cyber warfare operation called Olympic Games.

References

Sanger, D. E. (2012, June 01). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved September 9, 2018, from https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html

Schafer, S. (2017, March 31). White Hat vs. Black Hat Hackers and The Need For Ethical Hacking. Retrieved September 9, 2018, from https://www.clearpathit.com/white-hat-vs-black-hat-hackers-and-the-need-for-ethical-hacking

Regardless of my politics, my parents raised me with more sense than to burn my own (expensive) clothing.  Here is an idea, if you don’t like the Nike campaign, don’t burn your clothes, take the money you now need to spend replacing the clothes and put it to work.

I am what you would call a value and comfort shopper, so if Nike shoes are comfortable and on sale, I buy Nike, not because I have an affinity for the swoosh or Phil Knight or Bill Bowerman or the latest ad campaign, but because they were comfortable and cheaper than the Addidas sitting next to them on the rack.  Just Do It!  Keep gluing rubber to a leather upper that is comfortable and having good sales I’ll be a customer. 🙂  I am actually amazed at the power of a shoe company to excite and enrage people.