Prepare for Increasing Frequency of “Nation-State” Cyberattacks with Strategy, not Technology

Chase Cunningham

Let me pose a question: “Is it a bad thing to give the average person a hand grenade with the pin pulled?” I think most of us would respond to that question with an emphatic “YES!”  No one in their right mind would think it's a good idea in any possible reality to allow anyone without extensive military or professional training to access an explosive--especially not one that is live and has no safety device in use. Bad things would happen, and people would probably lose their lives; at the very least, there would be damage to property. No matter what, this scenario would be a very bad thing and should NEVER happen.

OK, now let me change that question a bit: “Is it a bad thing for every person with a network connection to have access to extremely powerful nation-state-level cyber weapons?”  Hopefully you would respond similarly and say “YES!”

Just as the hand grenade juggling is a problem, so is the proliferation of nation-state-level exploits. These malicious tools and frameworks have spread across the world and are presenting a very complicated problem that must be solved. Unfortunately, the solution that we've currently been offered amounts to a variety of vendors slinging solutions and tools that, without good strategy, cannot effectively combat the myriad cyber artillery shells now being weaponized against every system that touches the World Wide Web. The bad guys have now officially proven that they can “outdev” the defensive technologies in place in many instances and have shown that it's highly likely that many installed legacy technologies are wide open to these weaponized attacks (anti-virus be darned) across the planet.

Read more

Data is the perimeter, defend it that way

Chase Cunningham

Data is the perimeter, defend it that way

Unless you have been living under a rock or possibly hiding in the mountains of Montana with a giant beard and eating way too many government issued MRE’s you probably heard about the nuclear bomb of a ransomware attack that kicked off last week.  Welcome to the post apocalypse folks.  For years, many of us in the cybersecurity industry have been jumping up and down on desks and trying to get the world (writ large) to pay attention to managing and patching outdated systems and operating systems that have been running legacy software, to no avail.  Now that Pandora’s box has been opened and the bad guys have use the NSA leaked tools as weapons platforms all the sudden everyone gives a dang.  I caught no less than 17 talking heads on the news this morning stating that “this is the new reality”, and “cybercrime is a serious threat to our way of life.”  Duh, also water is wet and fire is hot.  Thank you news.  

Regardless of all the bad that is bouncing around the news and everywhere else today (and as I type this I can literally see a pew pew map on CNN that looks like a Zika Virus map showing the spread of WannaCry dominating the screen behind the anchor team) the reality around this “massive hack” and “global attack” is that if folks didn’t suck at patching their systems and followed basic best practices instead of crossing their fingers and hoping that they didn’t get hit the “end of days malware” would be basically ineffective.  The “hack” targets Windows XP systems, an old, outdated, unsupported OS that should have been pulled from use eons ago.  And if the legacy system running that OS couldn’t be pulled, IT SHOULD HAVE AT LEAST BEEN PATCHED.  Problem solved, or at least made manageable. 

Read more

Massive Ransomware Outbreak Highlights Need For A Digital Extortion Decision Tree

Jeff Pollard

5/12/2017 might be another day of cyber-infamy based on malware as hospitals and critical infrastructure providers are locked out of their machines due to what appears to be a new variant of ransomware dubbed WannaCry spreading through corporate networks. Like the ransomware outbreaks in mid-2016 here in the US, NHS hospitals are experiencing patient care issues as a result of the malware, with some shutdown completely as of 11:37 AM Eastern time.

Early analysis indicates the malware spreads via SMB protocol, possibly using a vulnerability published by Microsoft on March 14th, per CCN CERT National Cryptologic Center. This same exploit mechanism appeared to be in use by ETERNAL BLUE, included as part of the Shadow Brokers dump. Patching and update information from Microsoft is located here. For the specific list of affected systems, along with CVE Number, specific MS patch details, and alternative mitigation techniques check here.

Read more

NIST Is Jealous That PCI (Still) Matters More Than It Does

Jeff Pollard

The summary of the new Executive Order is a bit of a letdown:

Government agencies must complete a risk management report within 90 days. The risk report should align with NIST.

Outside of those with a risk fetish, this new EO probably isn’t that exciting from the perspective of any near-term cybersecurity transformation. That said, there are some aspects worth mentioning:

  • Cybersecurity is now a multi-agency public policy issue driven by the Executive Branch. The Department of Homeland Security, Office of Management and Budget, Department of Commerce, Department of Education, Department of Labor, and Office Personnel Management are all mentioned in the order.
  • The government wants to go shared services – including email, cloud, and cybersecurity services. The President requires a specific report on the costs related to modernizing government IT and cybersecurity by utilizing shared services.
  • Cybersecurity, services, and innovation are tied together with the order placing the Director of the American Technology Council as one primary stakeholder for the report modernizing IT and cybersecurity.
  • The order emphasizes workforce development as a key component of the United States cybersecurity advantage. Within 120 days the order requires the President receive a report on how to support the growth and sustainment of cybersecurity education.

Does the order change much? Not really.

Is it worth getting excited over? Absolutely, for those that felt the government had too few reports and committees.

For security practitioners? Probably not, but we are a cynical bunch by trade. It isn't transformative, but it does show incremental improvement by existing.

Then again, cybersecurity requirements for accepting credit cards are still tougher (and more enforceable) than ones for providing electricity....

Energy Is Embracing Zero Trust, All Industries Should Too

Stephanie Balaouras

I recently heard a segment on WBUR (a public radio station in Boston) on the emergence of microgrids and I was amazed at how much the concept of microgrids closely aligned with the concept of microperimeters within our Zero Trust model of information security. Zero Trust is a conceptual and architectural model for how security teams should redesign networks into secure microperimeters, increase data security through obfuscation techniques, limit the risks associated with excessive user privileges, and dramatically improve security detection and response through analytics and automation. Zero Trust demands that security professionals move away from legacy, perimeter-centric models of information security - which are useless for today's digital businesses no longer bounded by the four walls of their corporation - to a model that is both data and identity centric and extends security across the entire business ecosystem.

Read more

Zero Trust for MeatWare: It Applies to Us Humans Too

Chase Cunningham

Zero Trust principles have, thus far, been mainly aimed at the network and the technology that makes our interconnected systems “live.” That’s how the concept was originally meant to be applied, but the reality of the threat vectors and need for better security capabilities means that Zero Trust has to adapt just like everything else does. The concept for Zero Trust is super, and it's being adopted at quite a few major organizations, but there's still a problem:

 

Read more

Netflix Hack: Key Lessons In The Economics Of Ransomware And Managing Third-Party Risk

Renee Murphy

Netflix recently experienced a third-party breach. The data lost is Season 5 of Orange is the New Black, which is original Netflix content. Many are calling it the largest entertainment industry hack since Sony. I guess that is right, but how bad is it really?

First, here is what happened. Netflix transferred season five to their post-production third party in Los Angeles, Larson Studios, for sound mixing and editing. Larson does the post work for at least 25 episodics that run on Fox, ABC, IFC and Netflix. It was Larson Studios that was hacked and, according to thedarkoverlord (TDO), they made off with not just Netflix content but network content as well, putting at risk the release of Documentary Now, Portlandia, Fargo and many others.  TDO contacted Netflix and asked for a bitcoin ransom or it would dump their content for download. Netflix refused to be extorted and TDO made good on its threat.

That got me thinking…was Netflix right to not pay the ransom? What was the real impact of that decision? Can networks and studios do the same thing? Are they inoculated from third party damage because of their industry or their product? Let’s find out.

1.     Was Netflix right to not pay the ransom? Yes. If I have learned anything from the state department it’s that we don't negotiate with terrorists. For Netflix, there is no reason to overreact or go to great lengths to explain the impacts. If you do an impact analysis, you see that it has a medium reputational risk, a low financial risk and no regulatory risk. With that kind of risk analysis, you don’t pay a ransom.

Read more

Security Challenges Drive Growth For IAM Solutions

Jennifer Adams

The world is changing fast, and bring-your-own-device (BYOD) and telecommuting are increasingly becoming the norm, not the exception. This increasingly mobile and flexible workforce creates new security challenges as more and different types of devices are being used in multiple locations. Security and risk professionals must ensure that only the right people get access to the right information at the right time and for the right reasons. Identity and access management (IAM) tools help evaluate who has authorized access to which resources and why.

In our recently published Forrester Data: World Identity And Access Management Software Forecast, 2016 To 2021 (Global), Forrester predicts that the IAM software market will grow to $13.3 billion by 2021, from $7.7 billion in 2016, implying an 11.5% CAGR.

While IAM has traditionally focused on access for employees and business partners, we actually expect customer identity access management (CIAM) to be one of the fastest growing IAM niches. CIAM requires a delicate balance between security measures that are strong enough but don’t detract from the customer experience. As a bonus, data collected by CIAM tools can help with customer retention and drive profitability. As companies learn to leverage this data, we expect 19.5% annual CIAM software growth over the next five years.

Read more

For Better Security Operations, Speak to the Pack in its Native Tongue

Chase Cunningham

I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?

Read more

Okta Files to Go Public

Merritt Maxim

Yesterday, Okta filed its S-1 with the SEC, officially marking its intent to go public. This planned IPO had been rumored in early 2016, but less than optimal capital market conditions in 2016 likely contributed to the delay. The S-1 followed last week’s news that Okta acquired Stormpath, an identity API provider based in Silicon Valley, for an undisclosed amount.

The filing is not surprising but opens a window into the financial dynamics of the identity-as-a-service (IDaaS) market. After reviewing the S-1, three main themes stand out for me:

  1. IDaaS demand is very strong. Okta’s fiscal year ends on January 31, so full-year figures are not yet available for the period ending January 31, 2017. But comparing Okta’s revenue numbers for its 2015 fiscal year with its 2016 fiscal year shows an impressive 100% year-on-year growth. A big boost in service revenue also suggests that Okta is being deployed in larger, more complex environments that require more customization and services. Over the past 18 months, Forrester has had a steadily increasing number of IDaaS-related inquiries from enterprise clients looking to deliver identity and access management (IAM) capabilities to their employees via a SaaS subscription model. Okta’s revenue growth aligns with the strong growth in demand we see from our clients.
Read more