Top Secret Tinseltown

So this is a city with a lot of secrets. 

I’m not talking about just the run-of-the-mill, non-disclosure agreement (NDA).

This is Top Secret Tinseltown!

And even the stuff that comes out in the news–whether it’s clandestine transfers of $1.7 billion to the Ayatollahs in Iran or the Uranium One deal with the Russians, there is plenty of dirty little games going on. 

What was hilarious is when when saw this huge industrial shredding truck in the parking lot:

Paper Shredding * Electronic Destruction * Medical Waste Disposal

And there were a line of cars waiting to get rid of their little secrets.

I kid you not when I say that on a Saturday morning, there were at least 25 cars in line to dispose of their “stuff.”

Now who do you know in what city that waits 25 cars deep in line for an industrial shredder on a Saturday morning.

And the cars are pulling up, the trunks are popping open, and boxes and boxes of paper and electronic files are being handed over. 

Gee, I hope the Russians or Chinese aren’t getting into the shredding business…and inside the truck isn’t a large shredder but a bunch of analysts waiting for you to hand it all over. 😉

(Source Photo: Andy Blumenthal) 

Never Ever More Vulnerable

So we have never been more technology advanced. And at the same time, we have never been more vulnerable. 

As we all know, our cybersecurity have not kept near pace with our ever growing reliance on everything technology.

There is virtually nothing we do now-a-days that does not involve networks, chips, and bits and bytes. 

Energy

Transportation

Agriculture

Banking

Commerce

Health

Defense

Manufacturing

Telecommunications

If ANYTHING serious happens to cripple our technology base, we are toast!

From a crippling cyberattack that disables or hijacks our systems, steals or locks down our data, or creates massive chaotic misinformation flow to a EMP blast that simply fries all our electronic circuitry–we are at the mercy of our technology underpinnings. 

Don’t think it cannot happen!

Whether it’s Wannacry ransonware or the Equifax breach of our privacy data or the Kaspersky Labs hidden backdoor to our top secret files or North Korea threatening to hit us with an EMP–these are just a few of the recent cyber events of 2017!

Technology is both a blessing and a curse–we have more capability, more speed, more convenience, more cost-effectiveness than ever before, but also there is greater vulnerability to complete and utter death and destruction!

This is not just a risk that life could become more difficult or inconvenient–it is literally an existential threat, but who wants to think of it that way?

People, property, and our very society is at risk when our cybersecurity is not what it must be.

It’s a race of defensive against offensive capability. 

And we can’t just play defense, we had better actually win at this! 😉

(Source Photo: Andy Blumenthal)

Nation In Denial

We are a nation in utter denial over our problems.

Just to name a few…

Whether from the threat of North Korean dictator, Kim Jong Un, who smiled while displaying a video yesterday of nuclear missiles destroying the USA.

To the shooting death of three in Fresno, CA yesterday by a man shouting “Allahu Akbar” that was deemed not a terrorist attack.

To our national debt of $20 trillion which quadrupled in just the last 15 years under the administration of both political parties.  

Unfortunately, denial is still alive and well, while smiling photos of the North Korean dictator adorn the light poles outside the capital of the USA.

We don’t like to admit our problems be it from despots threatening us with WMD to global terrorism that gives us no peace, and a mammoth debt that is sinking our national economic sustainability.

Smile for the camera!

Don’t worry about big problem-solving. 

What we don’t admit can’t hurt us or can it?  😉

(Source Photo: Andy Blumenthal)

On The Lookout To Managing Risk

So risk management is one of the most important skills for leadership. 

Risk is a function of threats, vulnerabilities, probabilities, and countermeasures. 

If we don’t manage risk by mitigating it, avoiding it, accepting it, or transferring it, we “risk” being overcome by the potentially catastrophic losses from it.

My father used to teach me when it comes to managing the risks in this world that “You can’t have enough eyes!”

And that, “If you don’t open your eyes, you open your wallet.”

This is a truly good sound advice when it comes to risk management and I still follow it today. 

Essentially, it is always critical to have a backup or backout plan for contingencies.

Plan A, B, and C keeps us from being left in the proverbial dark when faced with challenge and crisis. 

In enterprise architecture, I often teach of how if you fail to plan, you might as well plan to fail. 

This is truth–so keep your eyes wide open and manage risks and not just hide your head in the sand of endless and foolhardy optimism for dummies. 😉

(Source Photo: Andy Blumenthal)

Cybersecurity Lost In Unknowns

Today unveiled is a new Cybersecurity National Action Plan. 

This in the wake of another Federal data breach on Sunday at the Department of Justice where hackers stole and published online the contact information for 9,000 DHS and 20,000 FBI personnel. 

And this coming on the heels of the breach at OPM that stole sensitive personnel and security files for 21 million employees as well as 5.6 million fingerprints.

While it is nice that cybersecurity is getting attention with more money, expertise, public/private poartnerships, and centers of excellence. 

What is so scary is that despite our utter reliance on everything cyber and digital, we still have virtually no security!

See the #1 definition for security–“the state of being free from danger or threat.”

This is nowhere near where we are now facing threats every moment of every day as hackers, cybercriminals, cyber spies, and hostile nation states rapidly cycle to new ways to steal our secrets and intellectual property, commit identity theft, and disable or destroy our nation’s critical infrastructure for everything from communications, transportation, energy, finance, commerce, defense, and more. 

Unlike with kinetic national security issues–where we regularly innovate and build more stealthy, speedy, and deadly planes, ships, tanks, surveillance and weapons systems–in cyber, we are still scratching our heads lost in unkowns and still searching for the cybersecurity grail:

– Let’s share more information

– Let’s throw more money and people at the problem.

– Let’s seek out “answers to these complex challenges”

These have come up over and over again in plans, reviews, initiatives, and laws for cybersecurity.

The bottom line is that today it’s cyber insecurity that is prevailing, since we cannot reliably protect cyber assets and lives as we desperately race against the clock searching for real world solutions to cyber threats. 

Three priorities here…

1) Build an incredibly effective intrusion protection system

2) Be able to positively tag and identify the cyber attackers 

3) Wield a powerful and credible offensive deterrent to any threats 😉

(Source Photo: Andy Blumenthal)

SCADA In Pictures

So SCADA are Supervisory Control and Data Acquisition systems.

They are a form of Industrial Control Systems (ICS) that monitor and control major industrial processes from power generation, transmission, and distribution, to water treatment, chemical production, air traffic control, traffic lights, building controls, and more.

These are part of our nation’s critical infrastructure.

In the lab, we are able to use tools to capture and analyze communication packets and edit and re-use them to:

– Turn on and off lights

– Open/close perimeter gates

– Control water and gas pipelines

– And even open and close a bridge

This was very scary!

No one, unauthorized, should be able to do this in real life, in the physical world.

This is a major security vulnerability for our nation:

– SCADA systems should not be openly available online, and instead they should be able to be controlled only either locally or remotely through an encrypted virtual private network (VPN).

– SCADA systems should not be available without proper access controls–there must be credentials for user id and passwords, and even two-step authentication required.

No one but vetted, cleared, authorized, and trained personnel should be able to monitor and control our critical infrastructure–otherwise, we are giving them the keys to disrupt it, destroy it, and use it for terror.

We owe our nation and families better, much better.

(Source Photos from lab: Andy Blumenthal)

Medical Hacks

Usually when we talk about the dangers of cyber attacks, we are concerned with the dangers of someone stealing, spying, or systematically corrupting our information systems.

But Barnaby Jack who died last week at age 35 brought us awareness of another, more personal and perhaps dangerous hack…that of hacking medical devices.

Barnaby, a director at computer security firm IOActive, became known first in 2010 for being able to hack at cash machine and have it dispense money.

In 2012, he drew attention to a flaw in insulin pumps whereby someone could cause it to administer a fatal dose to its unknowing victim.

This week, Barnaby was going to demonstrate how heart implants could be hacked, killing a man from 30 feet away.

With advances in the miniaturization and battery life of personal medical devices and implants for monitoring and managing patients health, more and more people could be exposed to malicious or murderous cyber attacks on their body.

With the potential for RFID embedded chips for managing our personal identities to bionics for replacing or enhancing human body parts with electronic and mechanical implants, the opportunity for someone seriously messing with our physical person grows each day.

If dangerous vulnerabilities are discovered and exploited in these devices, an enemy could go from the traditional attack on our information systems to potentially sickening, disabling, or even killing millions at the stroke of some keys.

Imagine people keeling over in the streets as if from a surprise attack by a superior alien race or the release of a deadly chemical weapon, only it’s not extraterrestrial or kinetic, but instead a malevolent cyber attack by a hostile nation or cyber terrorist group taking aim at us in a whole new and horrible way.

(Source Photo: here with attribution to Bhakua)

Like Buying A Nuke On The Black Market

Buying a serious computer vulnerability is now like acquiring a nuke on the black market.

Nations and terrorists will pay to find the fatal flaw in computer programs that will enable them to perpetrate everything from subversive cyber spying to potentially massively destructive cyber attacks.

As the world is focused on nuclear non-proliferation, computer weapons are the new nukes–able to do everything from a targeted strike on an organization or agency to taking out vast swaths of our nation’s critical infrastructure.

According to the New York Times (13 July 2013), there is a great interest in buying “zero-day exploits”–one where governments or hackers can strike using a computer vulnerability before anyone even knows about it and can correct it.

The average zero-day exploit persists for “312 days–before it is detected”–giving amble time for attackers to cash-in!

Brokers are now working to market the computer flaws for a 15% cut, with some even “collecting royalty fees for every month their flaw is not discovered.”

The average flaw “now sells for around $35,000 to $160,000” and some companies that are selling these are even charging an annual $100,000 subscription fee to shop their catalog of computer vulnerabilities in addition to the cost for each one that varies with it’s sophistication and the pervasiveness of the operating system behind the exploit.

While governments and terrorists are on the prowl to buy the exploits for offensive purposes, technology companies are competing to purchase them and are offering “bug bounties” in order to identify the flaws and fix them before they are exploited.

We’ve come a long way from people and organizations buying software with their regular upgrades and patches to nations and hackers buying the knowledge of the flaws–not to patch–but to spy or harm their adversaries.

You can buy the bomb shelter or software patch, but someone else is buying the next more lethal bomb or vulnerability–the question is who will pay more to get the next exploit and when and how will they use it.

(Graphic by Andy Blumenthal adapted from here with attribution for the mushroom cloud photo to Andy Z.)

Friends or Foes

People are amazing creatures–they can be sincere and trustworthy or phoney and users.  How do you tell them apart?

I learned in enterprise architecture and information architecture that information is power and currency–i.e. that those who have it rule and those who know how to get it–are the kingpins.

They may get information legitimately through research, study, reading, review, and working with others or they may cozy up to others illegitimately, to more to the point–find out “what’s going on?” what have they heard. or “what’s the real scoop?”

In some cases, it is merely benign networking and that is a healthy thing–or as they say, “it’s not what you know, but who you know.”

But in other cases, some people may take it too far, and literally prey on others when they are vulnerable, trusting, or simply let their guard down.

We spend a lot of our waking hours in the office , and therefore people’s social needs manifest in work friendships, confiding in others, going out for a coffee, lunch, drinks, etc.

However, at work, people are also competitive and can be ruthless in getting what they want, making themselves look good, badmouthing others, going for that “gotcha”, and even stealing other people’s ideas and hard work–now where did they leave that notebook?

So when you tell an associate something–are they trustworthy with your feelings, experiences, information tidbits or will they take what you share and use it for their own ends?

There are a lot of good, decent people out there, but unfortunately, not all of people are.

Is their face for real or a poker face?  Are they playing on your side or playing you?  Will they come to your aid at the moment of truth or use the opportunity to thrust the blade through your back.

My father used to joke about some people being two-faced, and then why would they choose that (ugly) one that they have on. 🙂

I always learned talk is cheap and actions speak volumes. So when someone asks about your latest project, your kids, or ailing parents–is it from someone who genuinely gives a hoot or from someone who’d like to get you off guard, even for that split second.

In the military, this would be related to psychological operations (PsyOps)–getting into the other’s person’s head, figuring out what makes them tick, and then using that to extract intelligence or inflict mental and emotional “blows.”

In law enforcement, perhaps the equivalent would be the old “good cop, bad cop” routine–where one person offers you some cold water or a cigarette and tells you everything will be alright, while the other person slams the table, yells, threatens, and says “your going to be going away for a long time.”

There are lots of ways to get into a person’s head, under their skin, and get to that valuable information–without going to the levels of physical, “torture” techniques, some of which have since been generally outlawed such as waterboarding.

So which people that you deal with are good, genuine, helpful, and have integrity, and which are selfish, nasty, and cruel?

It is definitely a challenge day-in and day-out to tell who is who–and you shouldn’t let the bad apples out there, ruin your trust in all people–you just have to make sure to look beyond the veneer–to see if the other person is more friend or foe.

(Source Photo: herewith attribution to BlueRidgeKitties)

Security Advisory For Architecture Drawings

Dark Reading (21 June 2012) came out with security news of a AutoCAD Worm called ACAD/Medre.A that targets design documents.

I also found warnings about this vulnerability at PC magazine (24 June 2012).

This malware was discovered by computer security firm ESET.

This is a serious exploitation in the industry leader for computer-aided design and drafting that is used to create most of our architectural blueprints.

Approximately 10,000 machines are said to have been affected in Peru and vicinity, with documents being siphoned off to email accounts in China.

With information on our architectural structure and designs for skyscrapers, government building, military installations, bridges, power plants, dams, communication hubs, transportation facilities, and more, our critical infrastructure would be seriously jeopardized.

This can even be used to steal intellectual property such as designs for innovations or even products pending patents.

This new malware is another example of how cyber espionage is a scary new reality that can leave us completely exposed from the inside out.

Need any more reason to “air gap” sensitive information and systems?

(Source Photo: here with attribution to Wade Rockett)