Reflection for the end of the year.

Once again we come together to talk about Cybersecurity, and one question keeps hammering our heads every day: “should I take classes and learn about Cybersecurity?” The answer to this question seems trivial, but for someone already in the field, it would be a resounding yes. If you are a homemaker, a bus driver or maybe a high school student, should you learn about Cybersecurity? The future we all see the world moving into, forces us to an absolutely yes.

Like the internet, massive multiplayer online games (MMOG), RFID chips, plastic money, virtual reality, and much more exposes our lives to a new hidden enemy and to a new set of threats that we aren’t used to dealing with yet. This overexposure of all events of our lives via social media and a “plugged-in world” is changing perceptions even of what privacy means.

Cybersecurity training is an excellent opportunity to learn how to recognize the dangers and how to protect yourself and your family, and it is a good skill to have in your current and future jobs. The experience, in general, can be very rewarding and uplifting. It will unveil before you another world, which we didn’t even dream existed.

The courses are filled with challenges of all levels. Some required extreme attention to details; others required a savvy orchestration, and some required social engineering and the ability to influence others. Nonetheless, it is not without difficulties, many of us may have to juggle increased expectations from family members and work as people realize that you should be able to provide in-depth analysis of circumstances, as well as greater insight into daily tasks.

The time spent studying and researching for class work and exchanging thoughts with classmates is enlightening. I may be easier to take a class during vacation time to allow for research and further studies, but bring your work experience as it also adds value to what is shared during class.

All the experiences and opportunities to learn will serve as an eye opener to the realities of Cyberspace and what we are up against. The major take from it is that the only solution seems to be education and training of the future generations to deal with the dangers out there so that they can learn to cope with this new reality.

The Nuclear Security Dilemma

Posting this week to emphasize the enormity of the risks we the human civilization are taking with the development of the Internet of Things. I wanted to comment on the announcement made by the Director-General of the International Atomic Energy Agency (IAEA), Yukiya Amano. He stated that there is a grave threat of militant attacks on nuclear power plants becoming the target of a disruptive cyber-attack as evidenced by an attack on a German nuclear power station that occurred two to three years ago.

Well, so much for security in a disconnected power plant. Shall we add IoT to this mix just to make things more interesting? Mister Amano continued saying: “this is not a theoretical risk… This issue of cyber-attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we are aware everything or if it’s the tip of the iceberg.”

We all have known for quite some time now that computer malware can and has been used to attack industry. These attacks have caused disruption and destruction to industrial complexes. Why not nuclear sites and related services? This issue has been brought to the attention of the United Nations and has been part of the discussion at IAEA cyber security conferences for a few years. However, it’s about time to see some action to improve safety, and one such measure should be to eliminate IoT industrial controls in nuclear-related sites.

The article by Andrea Shalal on Reuters states that the IAEA is providing countries with cell phone-sized equipment for detecting nuclear and other radioactive material. This action, assuming the countries on the receiving end of these detection devices do use them, can help minimize the effects of a dirty bomb but can do nothing to protect a nuclear power related facility from a cyber-attack.

What to do then? A Nuclear Energy Institute (NEI) Policy Brief has as one of its primary key points the isolation of critical systems at nuclear sites from the Internet and states that nuclear plants should start addressing cyber-security immediately. These two pieces of evidence lead to the conclusion that nuclear facilities aren’t ready to take on cyber-attacks and aren’t doing much to change their current state.

As we contemplate the landscape, we see organizations like the United States Nuclear Regulatory Commission (NRC) calling for increased security at many levels since the attacks of 911. Nonetheless, globally we see little regarding standards and frameworks for cybersecurity for these facilities coming into effect, and thus the international nuclear community are left to fend for themselves in an uncharted new frontier, cyberspace.

If you have ideas on how to mitigate such threats, please let us know commenting below.

IoT Security Baby Steps

25 organizations band together to develop a Security Framework for Internet-connected devices used for industrial purposes. This group is known as Industrial Internet Consortium (IIC), and they are working to create a framework to secure IoT connected equipment utilized in all industries. In fact, they have published the Industrial Internet Security Framework (IISF), which can be acquired at no charge from www.iiconsortium.org/IISF.htm.

With the publication of the IISF and the manufacturers of IoT devices have a common ground to address security issues related to connecting some industrial equipment to the Internet. As we have seen recently from attacks using botnets like Mirai, which hijacked devices into doing dirty work, manufacturers are beginning to realize that connecting industrial equipment to the internet makes them more vulnerable to Trojans and viruses like Stuxnet.

We have to recognize that once a device is attached to the web, it becomes impossible to secure it all the time or in every context. Nonetheless, there are several situations where it is desirable to have increased access to those devices. For example, for a doctor to review patient insulin intake remotely and make corrections as needed, or maybe controlling temperatures in a nuclear reactor without having to go inside the reactor chamber.

Such scenarios show how much good can come from using the industrial Internet of Things (IIoT), but it also shows how devastating the results of an attack like a Distributed Denial of Service (DDOS) attack can become when exposing such systems to the internet with feeble security measures. An example of such lacks are the devices that provide no option to change the default password.

Having a framework may be a step in the right direction, time will tell. Nonetheless, we are left to wonder if addressing the three concerns confidentiality, integrity and availability (CIA) is enough to outweigh the losses as the probability of targeted attacks increases due to the competitive nature of the industrial sector or even national rivalries.

The impact of an attack against the industrial establishment of a city, state or country may be devastating to the local population and may have far reaching consequences in today’s global economy. It is possible to make an analogy based on the impact of 9/11 attacks against the Twin Towers in NY, which had a compound effect that resonated across the globe and are still felt today.

The situation is becoming more and more chaotic, and even this framework will not address the devices already in use at homes or industrial plants. The attack surface created by IIoT and IoT devices is immense and seem to become more and more unmanageable with the resources we have today.
Most are in agreement that something must change, and a Framework is a start. Nonetheless, it still requires the engagement of more than just 25 organizations. It also requires the participation of law enforcement, governmental and non-governmental institutions as well as employee Unions.

The framework is a good first step, however, baby steps in securing IoT and IIoT are too small for the leaps and bounds this technology is making. What are your thoughts?

Internet of Insecure Things

Recently we hear more and more that the Internet of Things (IoT) is going to catch on and drive big data and other wonders of the web. The thought is basically, all the devices we use will make sure we are part of the collective, and thus resistance is futile. Do we have a reason to resist? According to recent reports in the Cybersecurity world, we do have a reason to resist, that is Security.

The whole idea of joining the collective is to become more secure and resilient to attacks and threats. That doesn’t seem to be the case with IoT, because mostly all devices that are internet connected are vulnerable to attacks. Even simple medical devices that people’s lives depends on, as we read from John Mello from Tech News World, even insulin pumps are vulnerable.

This scenario illustrates the risk we are introducing into our society when using disruptive technologies like IoT. There seems to exist an inherent lack of respect for us humans in the current culture, and with it also a lack of interest from us humans about what is important for us.

The ordinary individual needs to gain understanding of a few principal concerns: confidentiality, integrity, and availability (also known as CIA) before becoming assimilated into the Collective because some things just cannot be undone easily or at all. As with the case of most technology, once IoT enters the picture it will become part of the social fabric and cannot be remove. This provides and extraordinary opportunity for Security breaches in all areas of our lives.

There are many questions we should be asking before we jump into the IoT bandwagon. How is it that we can enter this wonderful collective that is IoT and not be burned? How can we share the responsibility of security with service providers, device, and OS manufacturers? How can we trust that the industry will self-regulate and provide safety? Can we trust that our self-driving car won’t drive off a bridge while we dose off in the front seat?

It does not appear that IoT is a self-regulating industry. They have already shown little interest in our security. If anything, the recent agreement between Ford, MIT, and the cell phone companies indicates that they don’t care much about our privacy and they get around it writing it into the terms of use.

This time we may need intervention. Unfortunately, Governments and Law Enforcement worldwide doesn’t seem too concerned with providing this type of security. It would require proactive actions to avoid crimes, new laws and regulations limiting what is allowed into agreements and terms of use.

In short, because of this scenario, I have to recommend resistance to IoT. Avoid it as much as you can. When out shopping, make sure to ask for internet disconnected electronic appliances and medical devices, and do the best you can to limit exposing your life to hackers.

What to do after a Cyber Security Incident?

Image 1 Security Breach

No IT department wants to hear the words “I think we may have a breach.” In the case of well-organized and trained IT departments with strong architecture security plans, these words might be a daily occurrence and therefore not too feared. Enterprise Strategy Group (ESG) report that today, the number of alerts for large companies is overwhelming, but for medium to small departments that are serving organizations with little focus on security, these words are quite feared.

Several IT departments out there are underfunded, underutilized, and badly managed; and it shows in the applications they deploy. The situation is similar whether the organization deploys software acquired off the shelf or developed in-house. There is no focus on security beyond perhaps an accounts and password combination.

Most organizations out there don’t even have an IT Risk Management process, and for this reason, they can’t justify budget and investments in security. Since they are unaware of what they have to lose, there won’t be any steps towards protection, and security won’t be part of any project as it will easily be dismissed as unnecessary cost and delays. Even if a developer’s work is safety conscious, there won’t be anyone in quality assurance qualified to test security.

For companies like these, even if they have a security officer, most of the time there is no security plan, and thus nothing to guide the teams during an incident response (IR). In a situation like this, what should be the next steps? How should they behave? A quick browse of the internet landscape returns several steps to be taken in case of an attack, but most of them imply the existence of a plan.

Assuming no plan exists, these are the steps as suggested by most experts:

Perform an initial collection of evidence: Confirm that what you see could be an attack, attempt to qualify what kind of attack it may be – sometimes it might just be the result of a poorly engineered application. Spend about 15 minutes on this no more.

Communicate: Sound the alarm, escalate first to the IT managers, let them know that you suspect an attack is happening, explain to them why you think this way, and bring the evidence you have collected thus far.

Plan a response: This is hard, but a must. IT managers should act upon any alert of a security breach guiding and coordinate IT and other teams to work as one to mitigate the situation. This plan should include: investigate the matter further, notify upper management of the situation and based on findings determine the course of action.

This is far from being a comprehensive (IR) plan, but it will get you started. What do you think? Share your thoughts and suggestions in the comments below let us know what else could be done?

To find out more you can read the following resources:

Australian Government, Department of Defense: Strategies to Mitigate

Lord, N. Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond

SANS CIS Critical Security Controls

Reflection on resources

third-party-security-risk

All, a few weeks past, I presented a list of resources that I thought interesting to follow. Many of you are asking why I don’t use them more often on my blogs, and the answer is simple: those resources are just a brief list of those most reliable resources, it was by no means an all-encompassing list.
I do suggest you should not be limited by the resources I present on this blog, but you should continue looking for more information. Information, sometimes, can be found in the most unexpected places for this reason it is important to keep looking. I know life is busy, but I make a point to read at least one article per day to stay current and abreast of trends.
Knowledge, is a key factor in defense against cyber-attacks, to understand how any future attacks can be successful reading about how they were executed against other companies gives an insight on what to look out for in your network. For this reason, do not limit yourselves to the literature, resources, and links presented here but go beyond and if you find something out there share with me using the comments below.

DDoS Attacks

Organizations that have networks which are accessible to and from the Internet are exposed to Distributed Denial of Service (DDoS). In any plan to adequately calculate their risk organizations must understand the many facets of such attacks.

Let’s start our discussion defining DDoS as a multi-source attack against exposed infrastructure (server, appliance, etc.) that disrupts or degrades its ability to function and provide service. DDoS attacks can be classified based on the level of automation used, vulnerabilities it exploits, rate of attack dynamics and impact. A visual description can be seen in the image below (Douligeris and Mitrokotsa, 2003).

ddos_attack
There are many ways to defend against DDoS attacks, and the responses to these attacks can be classified based on activity and location as pictured below (Douligeris and Mitrokotsa, 2003).

ddos_defense

Another part of preparing and defining the risks for DDoS attacks is to determine the probability of an attack. To do so, it is necessary to understand why attackers perform DDoS attacks and how to categorize their motivations. Attackers motives are classified as Revenge, Competition, Politics, War and hiding Other Criminal Actions (Spacey, 2011). A visual explanation is depicted below.

ddos-prevention-111
Having a basic knowledge of DDoS attacks can help organizations understand the risk and also the importance of creating plans to mitigate such attacks. Controls must be put in place not only on the technical aspects of defending organizations against DDoS attacks, but also to help answer questions that could lead to attacks like what makes an employee disgruntled, what can be done to minimize employee dissatisfaction, or if the attack is a distraction, what else might be targeted?

Understanding the nature of DDoS attacks and thinking about its sources is the first step in paving a path to protecting against them.

References:

Douligeris, C. and Mitrokotsa, A. (2003). DDoS attacks and defense mechanisms: classification
and state-of-the-art. Retrieved from: http://cys.ewi.tudelft.nl/sites/default/files/comnet.pdf

Imperva Incapsula (2016). DDoS Attacks. Retrieved from: https://www.incapsula.com/ddos/ddos-attacks/
Gangte, T. (2014). SYN Flood Attacks- “How to protect?”- article. Retrieved from: https://hakin9.org/syn-flood-attacks-how-to-protect-article/

Spacey, J. (2011). The 5 Motives for DDoS Attack. Retrieved from: http://arch.simplicable.com/arch/new/the-5-motives-for-DDoS-attack

The Associated Press (2009). How a denial-of-service attack works. Retrieved from: http://www.nbcnews.com/id/31803381/ns/technology_and_science-security/t/how-denial-of-service-attack-works/#.V_FfvvArIhd

The security risk of third parties

The security environment nowadays has become more complex and regulated. On one hand, organizations have an alarming number of threats to contend with (as evidenced by the number of breaches reported every day) and on the other hand, there is an increased number of regulations that have been put in place to address needs that have impact on security (i.e., HIPPA which regulates privacy of medical records, etc.).

The problem with this complex environment is that organizations also receive services from third parties who may not have the same focus on security or don’t have to comply with privacy and other regulations. This proves to be a challenge to businesses who are trying to maintain trust and confidentiality of client data as well as proprietary and corporate secrets. A recent example was the breaches of Target and Google where customer data was compromised because of lax security in their third party providers (Wei, 2016).

To avoid these issues, companies need to have in place a security framework in which third parties providing services to the business must comply with. Third parties should also be required to undergo security procedure audits to ensure they meet the company’s security standards. The organization can also use this framework in a certification process where they can certify the third party as trustworthy to do business with them. This can create a security partnership between the two companies where they contribute to each other’s security.

Reference:

Wei, W. (2016). Top 4 Data Breaches reported in the last 24 hours. Retrieved from: http://thehackernews.com/2016/05/top-data-breach.html

Enterprise and Threat Modeling

Modern enterprises seem to be slowly catching up to security, and with this also comes the need for developers and project managers (PM) alike to understand the security paradigm. We hear some people saying “Think like an attacker,” or do this and that, but when it comes down to the day-to-day, project managers and developers must be able to communicate effectively about security (Biafore, 2011).

Miscommunication in a project is a risk that enterprises cannot afford. Businesses are usually striving to be the first to market with applications that bring value, help captivate clients, drive sales, become excellent marketing tools that showcase the company as a center of excellence in technology, and build trust especially when it comes to security (Biafore, 2011).

The lack of project managers in the market has encouraged a culture that accepts project managers that don’t have experience in the types of projects or industries in which they are working. If the PM doesn’t know anything about IT how can we expect they will know anything about Cybersecurity? This lack of knowledge makes security requirements look like scope creep. To compound the issue, the other project funding venue for security—Project Risk Management—is in many cases relegated to an afterthought, if it’s considered at all.

This scenario, as absurd as it may seem, is quite common. For this reason, Microsoft brought to the market three compelling solutions that bridge the communication gap quite nicely. These are part of a simple approach, with clear communication at its core, which allows all sides to understand each other. It also simplifies tracking security requirements with team foundation services (TFS) integration and a risk management framework (OWASP, 2015).

These solutions are part of software development Threat Modeling Process which is an integral component of Threat Risk Modeling. These tools come from Microsoft’s Security Development Lifecycle (SDL) and are STRIDE, DREAD, and Threat Modeling Tool.

sdl

SDL Threat Modeling Process

The idea is simple; an organization will engage the CSO, the PM, development, and QA to identify security objectives. It is important to receive the go-ahead from leadership so that everyone can devote enough time to this work.

Subsequently, the team goes on to the software architects and decompose the application into one or more data flows that can be imported into Microsoft Threat Modeling Tool. They can then start a series of brainstorming activities analyzing the drawings following the STRIDE methodology (i.e., identifying at which points the application incurs the threat of allowing spoofing identity, tampering with data, repudiation, information disclosure and denial of service) (Shostack, 2009).

Once STRIDE has identified all the risks and the team is ready to start sprint planning, they can use DREAD (which stands for Damage, Reproducibility, Exploitability, Affected Users and Discoverability) to classify and prioritize the risks and when they will be worked on in the development cycles. The extra icing on the cake is that Microsoft’s Threat Modeling Tool integrates with TFS, and security-related requirements and tasks can be tracked. Also, the classification from DREAD can be incorporated into TFS using a template customization, which will depend on the version of TFS in use (Sullivan, 2010).
As we see with these contributions from Microsoft, it is possible for organizations to incorporate security risk management into their IT project practices. Also allowing them to start addressing software security designs from the beginning and have the software be developed and tested to be secure.

References:

Biafore, B. (2011). The Project Communication Plan. Retrieved from:http://www.mpug.com/articles/the-project-communication-plan/

Microsoft (2005). The STRIDE Threat Model. Retrieved from: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

Microsoft (2016). SDL Threat Modeling Tool. Retrieved from: https://www.microsoft.com/en-us/SDL/adopt/threatmodeling.aspx

SDL Team. (2015). What’s New with Microsoft Threat Modeling Tool 2016. Retrieved from: http://blogs.microsoft.com/microsoftsecure/2015/10/07/whats-new-with-microsoft-threat-modeling-tool-2016/

Shostack, A. (2009). Security Briefs – Getting Started with The SDL Threat Modeling Tool. Retrieved from: https://msdn.microsoft.com/magazine/dd347831.aspx

Sullivan, B. (2010). Security Briefs – Add a Security Bug Bar to Microsoft Team Foundation Server 2010. Retrieved from: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx

OWASP (2015). Application Threat Modeling. Retrieved from: https://www.owasp.org/index.php/Application_Threat_Modeling

Good Cybersecurity Resources to follow

When considering the subject of Cybersecurity, the first thing that comes to mind is what sources can be trusted to provide useful information and resources that can be used to acquire a large body of knowledge ranging from industry standards, opinion articles and discussions on current events, as well as governmental resources?

In answer to this question, I have compiled a short list of reliable online resources to get one started building their knowledge base.

Industry standards

  • OWASP – http://www.owasp.org A good resource to find information about web and mobile application security.
  • NIST – https://www.nist.gov/ A good standard for organizations from family owned to large enterprises.
  • ISACA – https://www.isaca.org/ A good source of resources for those working in the security field including some well recognized professional certifications.
  • ISO – http://www.iso.org/ A good standard for everything, more geared to organizations sized from mid to large as it can get quite expensive.
  • CVE Details – https://www.cvedetails.com/ A good source to find known vulnerabilities for most commercially available software.

Magazines, News and Blogs

  • Threat Modeler – http://threatmodeler.com/ An interesting site to get you going identifying vulnerabilities and threats.
  • Tech Republic – http://www.techrepublic.com/ A good source for opinion articles to help you understand contemporary security trends.
  • Tripwire – http://www.tripwire.com/ Place to find opinion article to help you dive deeper into security way of living.
  • Microsoft – https://blogs.microsoft.com/microsoftsecure/ This blog talks about how achieve security using Microsoft products.
  • Security Innovation Europe – http://www.securityinnovationeurope.com/ A good source for articles about security in global theater.
  • CSO Online – http://www.csoonline.com/ An online magazine that focuses on information for security professionals.

Government Resources

  • US-Cert – https://www.us-cert.gov/ American government resources for security awareness.
  • FBI – https://www.fbi.gov/investigate/cyber Information about laws and cyber-criminal stats.
  • INTERPOL – http://www.interpol.int/Crime-areas/Cybercrime/Cybercrime An international and global view of cybercrimes.

All of these have great information for security newbies with enough material to get you started. They are also useful for those security buffs diving deep into perfecting their strategies.

I hope you enjoy reading these sites. In case you feel I missed a good resource let me know in the comments.