I wanted to announce that the reports based on our annual Security Survey of nearly 2,000 organizations are live as of Monday, January 25th. These are among our most widely read security reports, with insight into IT security priorities, challenges, state of compliance efforts, and of course adoption of security technologies and services.
Or: why “advanced persistent threat” is the wrong phrase
Google's revelation that it was hacked by (likely) Chinese actors has helped propel another round of stories, blog posts, and analyses about What It Means. I have participated in some of these discussions, and my colleague Chenxi Wang has written severalilluminating posts about the nature of the attacks.
The specific means of compromise, a zero-day Internet Explorer exploit, has raised awareness of a phenomenon referred to as the “Advanced Persistent Threat,” concisely described by Lockheed Martin’s Mike Cloppert as “any sophisticated adversary engaged in information warfare in support of long-term strategic goals.” In his posts, Mike also nearly always uses APT in conjunction with the word “actor” (as in: APT actor) because he means a particular adversary. Mike's definitions are important because they help clarify what APT is, and what it is not. Expanding on his definition a bit, here is what I believe APT is:
Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.
The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.
The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.
A few important highlights to pay close attention to in the cyber security sections are:
Google called again after I posted the latest follow up to the Google hack story. Wow, two calls from Google AR in the span of an hour! They were uncomfortable about the way I characterized the involvement of the corporate VPN in the Google attack. The official on-the-record word from Google is: "This is not accurate." So, I should rephrase how the attack happened:
a) A Google employee's machine that was running IE v6 was compromised via the IE vulnerability.
b) The attacker used the compromised machine to somehow gain access to Google servers (some of which housed critical information). The method of access, at some point, may have involved VPN, but Google does not agree with the characterization that "the compromised client used their corporate VPN to gain access to the servers." At Google's request, I retract that particular statement.
This is what we do know factually:
1) The attack on the Google server happened.
2) Google immediately decided to do an emergency update of their entire corporate VPN infrastructure.
Could these two things be entirely unrelated? I doubt it. But Google isn't going on the record to say that the attack came in via the VPN, and that's their official position.
On a positive note, Google is actively trying to schedule the security interview with me. So hopefully I'll have more to report shortly.
By now, much has been written about last week’s attack on Google, Yahoo, and more than 30 other companies. Google’s stark reaction to the attack has put the company at the forefront of this news story. At stake is one of the world’s largest Internet markets, as well as the already tenuous relationship between US and China - it is no wonder this attack is drawing the attention of headlines worldwide.
Rather than discuss the extent of the cyber threat from China, or whether Google should effectively pull out of China by ending the censoring of search results (or why it was even in China to begin with), the most interesting and telling thing I'm seeing from all the discussion on this is the visibility of the defense contracting and intelligence consulting community, and how that visibility and even dominance is going without much comment by industry watchers and without much challenge by traditional security firms. Who is going to analyze and say with confidence whether the attack came from proxies or direct representatives of the Chinese state? It's the defense contractors. Like the July 4 attacks targeting the US and South Korea, the traditional defense contractors — Lockheed Martin, Northop Grumman (also targeted), and Raytheon, most notably) are the go-to authorities on this, while Symantec (which was also one of the targets in the multi-pronged attack), McAfee, and others are left merely to talk about how the attacks in and of themselves might fuel greater interest in their security technologies.
According to my friend Pete Lindstrom, the Information Systems Security Association (ISSA) is surveying its members for suggestions on three 2009 stories that, in retrospect, were the "most" of something. I'm not a member of the ISSA, but awards are fun, right? Here are my nominations:
Most significant breach of 2009: Heartland Payment Systems
Yes, this breach happened in 2008. But the story broke in 2009, so I'm counting it.The significance of the breach wasn't just the size (130 million credit card numbers). The story that surrounded the breach provoked some interesting debates about the role of PCI, the effectiveness of auditors, and the willingness of clients to QSA-shop, ignore advice, and blame third parties for their own failures.
Most overhyped story: "The cloud is insecure, m'kay?"
It is easy and appropriate -- today -- to discuss the risks assoociated with putting applications and data on semi-public devices you don't own. Criticizing is easy, but the fixing is more interesting. I predict that in time "the cloud" will be the best thing that has ever happened to information security, because it focuses attention on the data, not the infrastructure. Or to put it differently, it puts the "information" back into Information Security. This is exactly the discussion we need to have.