The submissions for this assignment are posts in the assignment’s discussion. Below are the discussion posts for Richard Bocchinfuso, or you can view the full discussion.
“Risks to the Enterprise.”
According to Ronda R. Henning, risk is usually expressed as the probability of an occurrence. Enterprise risk metrics the probability of harm to the enterprise as a result of disclosure, modification or downtime.
A key aspect of protecting data in the enterprise is assessing the situation, categorizing aspects of the enterprise and applying the proper protections and/or risk mitigation strategies. We know that the threats are everywhere, the question is what is the threat posed to a specific enterprise, what is the probability that a vulnerability will be exploited and what is the impact of the exploit. A quick visit to NORSE Corp and fear will have you believing you should disconnect from the internet, disable all ports, prohibit removable media, only use wired connections, etc… but there is security and then there is productivity prohibition.
(Click the image above for live attack map)
Some call this usable security, the text highlights this as “dealing with the conflicting objectives” where the security protocols need to balance security, cost, and usability. (Sherwood, Clark, & Lynas, 2005, p. 27) Making a system secure, but still usable is a complex issue the security architect faces, make the security too tight and humans will look to work around the system, make the system too lose and increase risk. A complex problem indeed.
One of my favorite examples of usable security and human-computer interaction is highlighted in the course intro to Usable Security on Coursera (Links to an external site.). BTW – This is a great course, I highly recommend it. I bet you can’t think of how a styrofoam cup could be a security threat and how a styrofoam cup could violate HIPPA compliance. Watch the video above, it’s short and enlightening.
While living in a connected world can be a scary thing, each of us balance risk vs. reward each day, every time we use an ATM or online bill pay system we make the decision that the reward is worth the risk, in most case this for the consumer this reward is convenience. We also balance risk vs. reward when we think about what password we will use to secure our information, should we use MFA, should we encrypt our data, etc… These personal decisions are similar to the decisions that are made within the enterprise, for example, I use strong passwords eight to ten characters in length, these passwords contain upper and lower case letters, numbers and special characters, they are not dictionary words or leet (Links to an external site.) passwords 100% of the time, I don’t use twenty character passwords because usability diminishes, the risk vs. reward model just doesn’t work for me. The password paradigm is used everywhere, email, bank accounts, etc… As things progress up my personal security stack I apply my password best practices and add MFA, a good example here is my AWS login. Lastly, if data is super sensitive I apply an encryption scheme which requires a passphrase and a 256-bit encryption key.
It’s important to remember that even what may be perceived as the tightest security protocols still contains vulnerabilities. From Stuxnet (Links to an external site.) to Heartbleed (Links to an external site.) we can see how even what is thought to be the securest possible protocols can be thwarted, these systems and protocols were by humans, making them exploitable by other humans. The emergence of the APT (Advanced Persistent Threat) (Links to an external site.) has focused the attackers on specific objectives, these attacks are not being perpetrated by high school student looking to change a grade, but rather a nation-state looking to engage in cyber warfare.
These attacks are complex, one of my favorite stories is the story of AMSC (aka American Semiconductor) (Links to an external site.) who was nearly destroyed when they had intellectual property stolen via old-school corporate espionage. Who could fathom this story, but if the source code for the PM3000 had this sort of value to AMSC maybe providing an individual located in Austria with access to the source code tree was not the brightest move. Today we see the FAANG (Links to an external site.) (Facebook, Amazon, Apple, Netflix, and Google) type companies rely on the volume of code and dependencies to protect their intellectual property, these companies have a level of scale, but this isn’t the case for every company. Another story that I like is the story of Code Spaces or as InfoWorld titled the article “Murder in the Amazon cloud” (Links to an external site.), this company had their AWS root account hijacked and all their AWS services being held for ransom, when Code Spaces did not pay the ransom the attackers deleted all their EC2 instances, EBS volumes, snapshots, AMIs and S3 buckets and put Code Spaces out of business. We know that the attacker used a DDoS attack as a smokescreen but we don’t know how they actually gained access to Code Spaces’ AWS console, but they did. We are seeing this more and more, as organizations open source more software, developers check their code into public Git repositories and they leave behind artifacts that expose credentials, like API keys. Tools like truffleHog (Links to an external site.) can crawl git repositories for secrets, digging deep into commit history and branches, finding secrets accidentally committed.
Risk management is iterative, a big mistake is the belief that a security posture is established and the posture that was established on day one is the same posture require on day one hundred. A framework like NIST (Links to an external site.) can assist in ensuring that risk is continually evaluated, classified and prioritized. Security controls and systems are evaluated and monitored to ensure that the security controls (technical, management and operational) are adjusted as needed.
There are numerous frameworks which can help with assessing and evaluating risk by providing a way for an organization to assess their entire system, including people, process and technology. Some framework examples include:
- NIST (National Institute of Standards and Technology) (Links to an external site.): A subdivision of the U.S. Department of Commerce. NIST works in conjunction with ISO27001. NIST focuses on covering the entire security lifecycle, this is accomplished by breaking the security controls into 19 families of requirements and categorizes the controls as technical (technology), management (people) or operational (process).
- ISO 27001 (Links to an external site.): Like NIST ISO 27001 breaks security considerations into three categories, organizational, technical and physical. ISO 27001 relies on audits as the mechanism to assess and evaluate, because of this it tends to be less iterative than the NIST framework.
- SABSA (Sherwood Applied Business Security Architecture) (Links to an external site.): Links security to business analysis models, focusing on how the business functions.
(Source: Sherwood, Clark, & Lynas, 2005, p. 43)
- SSAE-16 (Links to an external site.) and SAS-70 (Links to an external site.)
- (Links to an external site.)As a side note, I just finished a SOC 2 (Links to an external site.) audit. It took about a year to get all the processes and procedures right and adhered to so we could pass the audit. Lots to share here. I will try to weave into our weekly discussions, should get easy once we get to week five and incident response.
- SSAE-16 (Links to an external site.) and SAS-70 (Links to an external site.)
Realizing that security is evolutionary is important, that static protocols are unlikely to thwart modern attacks, that AI/ML may hold promise for intelligent and adaptive threat protection and response, but also realize that attackers have access to all the same technology and can create adaptive attacks using attack vectors which were inconceivable just ten years ago. We see this with projects like deephack (Links to an external site.) and a ridiculously low barrier to entry for things like cloud-based GPUs for password cracking (Links to an external site.). IMO, vigilance, a commitment to iterate and mitigation are the keys to reducing risk in the enterprise, we may not be able to keep everyone out, but keeping them in is a viable strategy. All too often it seems we focus more on checking the boxes of regulatory bodies and not enough time on actually securing our systems.
While the ability to flash a slide filled with your security credential logos probably looks impressive a developer in most cases can still publish keys or credentials on GitHub (Links to an external site.) at which point all bets are off. In the era of cloud computing one commit to GitHub that contains a snippet of code like the below could be the end.
Clark, J. (2015, December 04). Hacker uses cloud computing to crack passwords. Retrieved September 5, 2018, from https://www.zdnet.com/article/hacker-uses-cloud-computing-to-crack-passwords/
Collins, K. (2016, May 04). Developers keep leaving secret keys to corporate data out in the open for anyone to take. Retrieved September 5, 2018, from https://qz.com/674520/companies-are-sharing-their-secret-access-codes-on-github-and-they-may-not-even-know-it/
Dxa4481. (2018, August 27). Dxa4481/truffleHog. Retrieved September 5, 2018, from https://github.com/dxa4481/truffleHog
Henning, R. R. (n.d.). Frameworks. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU00VjEvRGF0YS9tb2R1bGUueG1s
Henning, R. R. (n.d.). Risk-Based Security. Retrieved September 5, 2018, from http://learningmodules.bisk.com/play.aspx?xml=L0Zsb3JpZGFUZWNoTUJBL01HVDUxNTUvQ1lCNTI3NU0zVjEvRGF0YS9tb2R1bGUueG1s
Osborne, C. (2017, January 09). GitHub secret key finder released to public. Retrieved September 5, 2018, from https://www.zdnet.com/article/trufflehog-high-entropy-key-hunter-released-to-the-masses/
Sears, C., & Isikoff, M. (2015, November 2). Chinese firm paid insider ‘to kill my company,’ American CEO says. Retrieved September 5, 2018, from https://www.nbcnews.com/news/world/chinese-firm-paid-insider-kill-my-company-american-ceo-says-flna6C10858966
Sherwood, J., Clark, A., & Lynas, D. (2005). Enterprise security architecture: A business-driven approach. Boca Raton: CRC Press.
Stahl, L. (2016, January 17). The Great Brain Robbery. Retrieved September 5, 2018, from https://www.cbsnews.com/news/60-minutes-great-brain-robbery-china-cyber-espionage/
Venezia, P. (2014, June 23). Murder in the Amazon cloud. Retrieved September 5, 2018, from https://www.infoworld.com/article/2608076/data-center/murder-in-the-amazon-cloud.html
Sharing this because I have shared many classes with many of you and we have often talked about how enterprises balance security investments vs. the cost of an exploit. I have argued in the past and continue to argue that many organizations focus on JES (Jest Enough Security) to satisfy regulators, insurance companies, etc… The focus is not on securing personal information, but rather on reducing corporate risk, this is just another example of why.
Scott, always a good read, although I do have a bit of an issue with making the word “hacker” synonymous with “the big bad wolf”. 🙂 The “hackers” of the Homebrew Computer Club (Links to an external site.) would probably take issue with this as well, folks like Ed Roberts who built the Altair, the hardware platform that gave birth to Microsoft and Steve Wozniak (aka Woz) who of course designed and developed the Apple I.
Hackers are individuals who enjoy the intellectual challenge of creatively overcoming limitations of software systems to achieve novel and clever outcomes. Now I do understand the modern day (security) hacker colloquialism, so we have now turned what used to be a hacker culture (Links to an external site.) into a maker culture (Links to an external site.) but they are essentially the same thing.
Furthermore, even if we stay with the colloquial definition of “hacker” I am not sure that white hat hackers (Links to an external site.) would appreciate being called “the big bad wolf” but then again maybe they are “the big bad wold” just a sanctioned wolf.
I couldn’t agree more, nation-state hacking is modern-day warfare, waged int he depths of cyberspace with digital assets and information as the objective. Stuxnet is a great example and the Stuxnet virus was just one virus in a massive U.S. cyber warfare operation called Olympic Games.
Sanger, D. E. (2012, June 01). Obama Order Sped Up Wave of Cyberattacks Against Iran. Retrieved September 9, 2018, from https://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
Schafer, S. (2017, March 31). White Hat vs. Black Hat Hackers and The Need For Ethical Hacking. Retrieved September 9, 2018, from https://www.clearpathit.com/white-hat-vs-black-hat-hackers-and-the-need-for-ethical-hacking
Regardless of my politics, my parents raised me with more sense than to burn my own (expensive) clothing. Here is an idea, if you don’t like the Nike campaign, don’t burn your clothes, take the money you now need to spend replacing the clothes and put it to work.
I am what you would call a value and comfort shopper, so if Nike shoes are comfortable and on sale, I buy Nike, not because I have an affinity for the swoosh or Phil Knight or Bill Bowerman or the latest ad campaign, but because they were comfortable and cheaper than the Addidas sitting next to them on the rack. Just Do It! Keep gluing rubber to a leather upper that is comfortable and having good sales I’ll be a customer. 🙂 I am actually amazed at the power of a shoe company to excite and enrage people.
Andrew, I know from being in numerous classes with you and reading other posts that you are focused on cloud technologies. I think we are seeing vulnerabilities in the Open Source and cloud world today that will be both challenging for enterprises to plug and will likely create an entirely new security market. With applications like truffleHog (Links to an external site.) popping up every day and being made available to the masses, it’s far to easy to scrape public repositories like GitHub (Links to an external site.) for security credentials.
I think we are in a world today where we are looking to enable developers, this means technology adoption is decentralized, occurring from the individual inward, rather than from the centralized and being pushed from IT organizations outward. We are trying to balance enabling developers to increase the velocity of innovation while maintaining corporate governance, this is not easy.
When corporate IT was the glasshouse with centralized command and control we had Shadow IT, today DevOps has replaced Shadow IT. In some cases, this shift was accompanied by governance, but in many cases organizations realized that the war on Shadow IT was unwinnable and pivoted to DevOps to reposition the exposure of Shadow IT as the fuel of innovation and competitive advantage. I believe there is a ton of opportunity for security providers to deliver tools that are transparent and frictionless to the enterprise that will identify things like API keys being committed to a git repo and either stop the commit or better yet strip the sensitive information and allow the commit to happen (aka frictionless). The key here is transparent and frictionless.
Vadaganadam, A. (2018, May 30). Has DevOps Caused the Re-emergence of Shadow IT? Retrieved September 9, 2018, from https://devops.com/has-devops-caused-re-emergence-shadow-it/