Blog Posts From Open Port IT Community Tagged With intel

Our New PC Delivery Process Cuts Employee Downtime

webadmin@intel.com — Wed, 15 May 2013 19:49:16 GMT

Getting a new PC used to take valuable time out of the workday. But as part of our focus on a user-centered model of delivering IT services, Intel IT recently optimized our PC delivery process, resulting in improved employee productivity, a better employee experience, and reduced operational costs. These process improvements allow our employees to return to work more quickly, reducing their downtime from an average of 4.5 hours to 1 hour, a 77-percent reduction. Read the paper "New PC Delivery Process Cuts Employee Downtime" to learn about the changes we made.

Enterprises Security Choices and Tradeoffs for BYOD

webadmin@intel.com — Mon, 13 May 2013 19:34:26 GMT

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves. Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security.

BYOD is effecting organizations both large and small. In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity. It can have a great positive effect on the business but also raises security concerns. Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs.

In today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data. It introduces chaos to security and IT manageability, driving up risks and expenses. Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable. It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs. Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed. Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat. It has been the traditional solution.
Con: Not practical for 99.9% of the world. It’s like trying to hold back a tidal wave with a paper cup. Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff. Most likely they and the less technical community has already been doing this for some time. It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc. Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone. When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices. Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs.
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time. The out-of-pocket equipment and service costs can be very expensive. To control costs, most organizations will not provide everyone a company device. So there emerges a “have” and “have-not’s” class system which spawns resentment. Those who are provided devices must manage their personal devices in addition to the company provided ones. If you have ever been forced to carry two phones, you know how much of a pain this becomes.

Even in a perfect environment with happy users, a different problem emerges. The comingling of personal and private data on employer managed devices. This can be a nightmare, fraught with legal and ethical pitfalls.

Each class, brand, and even model must be configured and secured. IT departments must support users trying to access services and data. The more types of devices, the more complex and expensive the support becomes. One of the keys to managing support costs is scalability. So, it is normal for an organization to settle on one or two to start. Which will not make everyone happy as people have their own preferences. Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace. Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use. Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.

3. BYOD of Any Device. All devices welcome with open arms! Users are able to bring in, connect, and use their favorite devices. Security controls are usually network based or via containerization technology on the device itself.
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device. Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure. Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications. Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments. The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices. Network, cloud, and device containerization technology provide security.
Pro: Low initial costs as users purchase the devices. It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable. As new devices are supported costs will rise due to legacy support and other complexities. Security is managed based upon the vetting and controls mandated for approved configurations.

Productivity varies based upon the breadth and timeliness of support for new technologies. Satisfaction and productivity also follow this curve. The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present.

There is no universal winning choice. It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users. A very small number of organizations can disallow all personal devices, mostly government types. Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s. Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office. Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy. In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices. They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable. This is no small feat as these solutions are not yet mature.

Every organization must find their own path. They must consider the options and tradeoffs of costs, productivity, and risk. No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

Information Security – it’s not only about the technical controls!

webadmin@intel.com — Thu, 11 Apr 2013 20:49:41 GMT

Security means many different things in different contexts. With Information Security, it should be about protection of an asset from a known threat. But many times there are biases to security solutions based on controls that are predetermined. The most important questions that should be asked before the how part is defined for a security solution are;

Why is there a need to establish security? It’s an important premise that you determine the value of information to your organization and to your adversaries.
Secondly, who are you protecting this information from? If one is to protect something, one has to identify what the threats are, so as to take appropriate steps to mitigate them.
Thirdly, protection or prevention is one aspect of security controls. Considere detective and corrective mitigating controls addition to preventative mechanisms that could fail.

Because of biases in specialty areas, there could be a tendency to emphasize specific technical controls in defining a security solution. This leaves a great deal of ambiguity and more fuel for fear, uncertainty, and doubt that plagues the field of protecting computer information systems. And as Matthew Rosenquist described in one of his blog posts last year when asked for one word to describe the biggest challenge in information security these days, he used the word ambiguity. While many security researchers are trying to find the latest security flaw, other security professionals are trying to determine how the next security tools provide better technical protection capabilities. But it’s important to realize that information security is not only about the technical solution, it should be a business decision first.

Information Security is not only about technical threats and so technical security controls should not be the first consideration for protection. Technology is often among several other countermeasures used to implement a security solution after defining what it is that needs protecting and from whom it needs protection. This is where administrative controls should be considered first so that the definition of what needs to protect can be defined through procedural controls. Some industries have policies, standards and guidelines that must be followed based on the type (classification) of information, but risk should be evaluated based on threats in context of the environment for which the information made available through processes, transferred, stored, or destroyed. A defense-in-depth strategy should be considered during the earliest stages of the development lifecycle but oftentimes there are changes to the environment that are made well after the deployment of a system or software solution that can introduce risk from new threats or greater exposure to existing ones. Before administrative controls are defined, a risk assessment should be completed to analyze the threats for which any system is vulnerable to.

The real value of a risk assessment is that some systems may process information that is not under industry regulations for protection but still have value to an organization. In many cases an organization will focus on risk from audit failures and apply most of the security dollars to mitigate risks defined by audit report because information classification levels require regulatory protection such as Sarbanes-Oxley Act (SOX), PCI Data Security Standard (DSS), or Health Insurance Portability and Accounting Act (HIPAA) just to name a few. But information of value does not only fall under classifications that have industry standards for protection levels. The risk assessment is a way to have dialog amongst the team and is helpful to communicate with management across the board for all information protection requirements becuase ultimately it is a business decision to implement security controls. Additionally, security controls can be protective but detective and corrective security controls should always be a consideration for a Defense-In-Depth security strategy. One strategy that is taking a more reasonable approach to increasing the level of information assurance is the focus on the threat rather than the vulnerability through the use of a Threat Agent Risk Assessment methodology developed by Intel. This approach places emphasis on what is reasonably possible from a threat perspective in order to address the most likely events.

Security Does Not Need to be Complex to be Effective

webadmin@intel.com — Mon, 08 Apr 2013 18:12:39 GMT

Even a 10 year old little girl can prove this fact:

A 10-year-old girl thwarted an abduction attempt after asking a stranger for a code word that he did not know.

A man approached a 10 year old girl outside a public school and attempted to lure the girl into his vehicle. The man told the girl her parents had sent him to pick her up. But the girl and her parents had setup a shared secret code-word for anyone authorized to pick her up from school.

The girl asked for the code word but the suspect got it wrong. She told him it was incorrect and he drove away.

I applaud the parents for a job well done in implementing a simple and effective security solution and to the little girl who deftly executed to it, likely without the need of understanding the grim impacts of failure.

In the security and technology industry, we can learn volumes from this encounter. First, a security savvy person is far more effective than a stack of technical security controls. Second, complexity does not guarantee effectiveness. In fact, simplicity can be more cost efficient and easier to implement. An elegant solution, is one which is accepted, applied, and delivers the preferred result.

As security professionals, we have an opportunity to meet these requirements to deliver an optimal solution through a marriage of inherent human and technical considerations. We must not forget, computer security is a combination of both. The very best solutions enhance the user’s ability to be secure without being cumbersome. Pure elegance.

Poor Security Policies Lead to Disastrous Customer Service

webadmin@intel.com — Fri, 25 Jan 2013 18:13:03 GMT

Security is about preventing loss. But be careful, as instituting poor security policies can drive away customers and impact your business.

This is a story of how a financial institution is doing security wrong.

I have been a customer of a local credit union for nearly 40 years. It has a few branches, online services, and prides itself on customer service. My account was open at a very young age and had since moved away but always kept my account active and enjoyed a number of the financial service offerings over the years.

The problem began in a benign manner. I recently moved and was changing my mailing address with my various financial, health, and business accounts. In today's web-centric world, it is pretty easy to accomplish. In every case except one, I would login to the organization's website with my credentials and provide my new address. In some cases I would have to provide additional information for verification, but the process was smooth. They quickly followed up with an email notification or a card in the mail at the previous address as a measure to detect fraudulent submissions.

Then came my credit union. Their website requires a User ID, password, and additional validation of challenge-response questions if connecting from an unrecognized or public PC. It even sports an anti-spoofing feature where an image previously selected by the customer is provided as part of the login. All wonderful security measures which I applaud. However, it lacks a friendly user interface to edit profile details. With no obvious way to change my mailing address online, I called the support number and was informed I needed to write a letter requesting a change of address, provide my account number, and signature, and send it via US mail to their offices for processing. Although inconvenient, I followed the instructions.

A few days later I received a voicemail at my home number, which was on record with the credit union, and was informed they received my written request but didn't believe my signature was authentic and therefore declined my change of address. What?

I called again and at their request provided my account number, date of birth, and last four of my social security number, home phone, email address, and mobile phone number to validate my identity. After providing all that was requested in addition to details about my account history which would not be on any recent statements, I explained my issue to the supervisor in charge. I was informed they could not readily locate my written request but reassured me it should be around somewhere and instructed me to either come into a branch, which is nearly 2 hours away, or photocopy my driver’s license and fax it in.

No.

I refused to be a part of such "security theater" (as Bruce Schneier would say). I asked why all this is necessary to change my mailing address? With the information I provided on the phone or necessary to login online, I can electronically transfer funds to external accounts, receive a personal loan, reset passwords, request checks, and change all other contact data in my profile. Why the elevated security for a mailing address change?

Here is my favorite part. The supervisor, in his best authoritarian voice told me it is for my protection, that I probably wouldn't fully understand the security risks, and that is was 'required by law'. When I told him I am a security professional of 20 years, have consulted banks, and work as a computer security strategist for one of the most prominent companies in technology, his voice went soft. I explained how the additional controls provided no appreciable value and how the rest of the industry follows more rational practices. I challenged the representative to identify the regulatory requirement, because none exists which specifies a written and signed request or photocopy of a state identity as necessary to fulfill a change of address request on a basic consumer financial account.

In the end, we came to the obvious conclusion he was simply following the company's security policy, one created with the best of intents, but lacking both insight and effectiveness to reducing the risk of loss. It is in fact counter-productive, causing frustration on behalf of the customer and consuming employee resources for no appreciable risk benefit. Regardless of the absurdity, as good employees, they are bound to adhere to it. I don't fault them, rather the management who instituted the ill-advised policy. We were at an impasse, my stubbornness against their policy.

As I am a fan of economic models and democracy, I have chosen to vote with my wallet. I abandoned my goal of an address change and instead asked for two things. First, to close my account. Second, to provide me with the email address of the CEO.

I deal daily with the security industry and ecosystem. I have found in many cases the CEO's and CISO's are insulated from some of the choices they make and unaware of potential side effects of their security policy. The best management hunger to know of issues and is always looking to optimize their security practices. With this in mind, I wrote a friendly note which I emailed and also hand delivered (when I visited in person to close my accounts) to the CEO of the credit union to help in his awareness. Although he has not responded, I still have hope good security practices will prevail for the benefit of the remainder of his customers.

The lesson here is security controls must be consummate with the value of what is being protected. A proper, efficient, and effective security policy is a powerful tool in the hands of capable employees. But at the same time, poor security policies can have a detrimental effect on customer service, resources, and the business's bottom line.

Beware of policies which provide no additional level of security. It does not make sense to require extra hurdles to protect less critical assets. In this case, current phone and online verifications, sufficient for more sensitive transactions, should have sufficed for a change of address. As an extra measure, consider a post transaction notification via mail, phone, or email, which is the accepted standard.
Superfluous policies create inefficiencies and more unnecessary work for the employees and customers. There is always a cost to security. Squandering resources due to poor security policies is not good use of time, customer's patience, and employee effort.
Any policy which unduly hassles customers, delays services, and potentially exposes private information to unintended parties should be revised. In this case, with the wrong address on file, upcoming tax documents would be sent to an address not that of the customer. Such policies must consider that 'failing-safe' may require a change in status-quo. Additionally, in this case, the policy called for the creation of more unneeded documentation with account information and potentially a photocopy of government issued identification (which likely would also contain unneeded personal information), and the apparent inability to manage the storage and destruction of aforementioned paperwork. Policies should not exacerbate or complicate identity and data situations.

Instituting the perfect security policy is difficult in every industry. We must however keep our eyes open and understand the unintended consequences in order to learn and adapt. An optimal security policy must align to the risk-appetite of the organization, meet legal requirements, and fit within cost considerations without jeopardizing the critical services to customers. When it fails, either too overbearing or too weak, it can fail big. I hope other organizations can learn from the viewpoint of their customers and the lessons of their peers. This is a learning opportunity for all.

I have intentionally omitted the name of the institution and parties involved, as they are not important.
..if the CEO does respond, I will update this blog and even post his response if he grants permission.

Deploying Microsoft Windows* 8 in the Enterprise

webadmin@intel.com — Mon, 21 Jan 2013 23:46:02 GMT

Intel IT is standardizing on Windows* 8 as the primary operating system for business Ultrabook™ devices and Intel® architecture-based tablets. We are accelerating the deployment readiness for business Ultrabook devices and tablets, and intend to make the new OS available for laptop and desktop PCs. Our plan is based on six months of extensive analysis and testing of Windows 8, including a pilot of over 300 users. Read the paper and tell us what you think.

Top 10 Security Predictions for 2013 and Beyond

webadmin@intel.com — Thu, 03 Jan 2013 17:04:49 GMT

It has been an exciting and eventful year in the world of computer and information security. As I look back through the stack of articles, conference notes, political and regulatory wrangling, technology winners and losers, and most captivatingly, the behaviors of the attackers, I find myself giggling like a schoolboy. It is truly a wonderful time to be in this industry. We certainly live in interesting times.

As the chapter of 2012 has come to a close and the blank pages of 2013 open before us to be written, it is time once again to look into the future and predict what the next 12 months hold for the cyber and information security domain. Based upon nailing last year’s predictions, I believe I have earned consideration to wear the turban of Carnac the Magnificent.

…which as I think about it, may be a reference which most readers may not get: Johnny Carson, The Tonight Show. Oh, never mind. I am old, go Google it.

Many aspects of security will continue to hold true. Malware will increase, vulnerabilities will be discovered, systems will be hacked, patches will be issues, fraud and loss will be rampant, stories will be sensationalized, victims will cry, attackers and defenders will get better, legislatures will demand action, and the citizens will be aggressive in expressing their opinions and asserting their rights. Certain characteristics of security are persistent. These are pedestrian predictions. They go without saying. Above and beyond those are my security predictions for 2013 and beyond:

Top 10 Security Predictions for 2013 and Beyond:

The devastating Internet-infrastructure Cyber-DOS attack, will NOT happen!
Fear mongers relax. The debilitating Denial-of-Service of our precious Internet-of-Things will not happen, at least in 2013 and likely not for some time, if ever. The only real chance of this is if an all-out war broke out between major technology-vested countries. When troops and tanks roll, all bets are off on the potential for collateral damage in the cyber world. Short of that, an elaborate attack to do irreparable harm to the Internet is just not likely. Those who can, rely upon it themselves. Those who want to destroy the evils of the Internet, likely do not have the ability to succeed. It is a stalemate. Targeted attacks may occur, but the great “Cyber Pearl-Harbor” is just not realistic.

But what about the rapid advances of nation state cyber warriors and technologists? Heavily financed, well resourced, and highly motivated to fight and win in the cyber battlefield? Well, here is the real story. Any professional investigator, military strategist, or intelligence operative worth their merit, will tell you the goal is to compromise a command, communications, and control network. Not to destroy it or take it offline, but rather to conduct surveillance, gather intelligence, and then use it in ways to undermine and target the enemy. The last thing you want to do is take it offline! The professionals know this. It is the amateurs who launch DOS attacks, as the pro’s play a smarter game.
The real target for 2013 and beyond, are BANKS!
Forget DOS attacks against social sites, vulnerabilities in toasters, lost health records at the local clinic, and data compromises at NASA. The real targets are banks. Professional criminals and syndicates are getting smarter and realizing the Internet is a much better means to achieve financial gains, than the local streets and traditional businesses they play in. With unimaginable wealth sitting just beyond the keyboard, they have the resources to invest in order to seize major scores.

Where are all these riches you ask? Mr. Willie Sutton, an infamous bank robber of the 20’s, would likely tell his compatriots to ‘go where the money is’. Banks. This is how it has always been, as thieves gravitate to where the loot is.

With banks rushing to connect with customers online and via phones, they have underestimated the lurking dragons waiting to pounce. These attackers range from the rudimentary to the highly organized. But the truly dangerous villains are experienced in being selective, stealthy, and planning for multi-million dollar heists and scams. It is happening already and we have seen but the tip of the iceberg. The banking industry needs to wake up. Security must be taken seriously as they expand to reach and service their customers. In 2013, we will see many failures of this. Only those organizations who invest in both superior security leadership and technology will stand confident.
Arrests, prosecutions, and pressure against threat agents will continue go up!
Last year we witnessed an aggressive crackdown on hackers and cyber criminals. Security and law enforcement capabilities, techniques, and cooperation continue to grow and improve. Tangible success in security reinforces investment. This momentum will accelerate in 2013 and we will see many of the less savvy players brought to justice. Expect this trend to thankfully continue forward.
Cyber regulations remain inconsistent across borders, vague, and ineffective. But will continue to slowly coalesce.
Politics, economics, social expectations, and regional differences in what is considered an individual’s right will continue to hamper globally adopted regulations. But this is an important and valuable effort, which is the one thing everyone agrees in common. They will continue to slowly align, find tradeoffs, and coalesce for everyone’s benefit. Patience. It will be a bumpy ride with false starts and turmoil, but it will get a little better in 2013, then 2014, etc.
Governments invest heavily in Cyber
Tech savvy governments have no choice. They must now invest in cyber technology to defend their systems, people, privacy, and national infrastructure. Larger governments are investing heavily in offense, defense, detection, infrastructure testing, survivability, intelligence, resilience, SOC/CERT's, Hunter Teams, etc. They will evolve to both establish and defend their online territory and systems. As we saw in 2012, many governments are openly recruiting and establishing centers of excellence for the particular skills necessary to reach out and influence or affect others. In 2013, many such entities will have created and begun training in earnest with viable offensive cyber weapons. Welcome to the fifth domain of warfare. There is no going back.
Regulations increase in depth, breadth, and specificity for high technology
Technology hardware, software, cloud services, mobile devices, and the data collected from all those sensors will come under regulatory scrutiny. It won’t all come at once, but it will come. Privacy, critical infrastructure protection, government systems standards and minimum controls, data aggregation, and remote surveillance will be the first targets for more specific and comprehensive requirements.

Many of the current or first generation government regulations were broad in nature. They are getting more explicit and lengthy. Ever read the NIST 800 series? This is not necessarily a bad thing, but bureaucracy can sometimes be slow to respond to rapidly changing environments. Satisfying regulations is always a start, but never a guarantee of security. In 2013, we will see more required oversight, business practice investigations, clarity in technical and behavioral requirements, and those out of compliance will be penalized.
Mobile malware and attacks increase
No surprises here. Although it falls into the category of blazingly obvious, it still deserves a call-out. The rapid adoption of smartphones worldwide has spawned an insatiable vortex of desire for applications and services. Each an opportunity for attackers. The rush and competition for product releases has left security as a distant bystander. This environment is ripe for rampant malware and attacks. We all will start to see and feel the pain in 2013.
Covert attacks get better, more sophisticated, and tougher to decipher
Amateur night is over. Although the vast majority of malware out on the Internet is basic and well understood, this will begin to change. Sophisticated covert attackers have learned that discovery is the death knell of their malware. They will take innovative steps to stay hidden, be more resilient, survive counter-attacks, and make it much more challenging for security researchers to understand the inner working of future malware.
Innovation rules. Attackers and defenders get better, at a much faster rate than before.
Investment spurs innovation. The world is becoming more connected between people and valuable services. With governments, businesses, and consumers investing in security, the stakes and investment are raised. Both attackers and defenders will improve to counter their respective adversaries with innovations backed by these investments and opportunities. The race will simply get faster.
Patent lawsuits to infiltrate the security services industry?
Patent lawsuits are rampant in the technology sector. Will security become the latest target in 2013? Perhaps. This prediction will come down to economics. I will confidently predict more patents will be filed for security in 2013. Only if a significant paycheck is plausible, will the patent lawsuit community begin to circle. I give this a 50% chance of seeing a security technology patent lawsuit by the end of the year.

There you have it. My top 10 predictions for 2013. Come back in December and we can celebrate together or you can berate me mercilessly. Either way, it should be a fun and interesting 12 months.

2012 Crackdown on Hackers and Cyber Criminals

webadmin@intel.com — Thu, 27 Dec 2012 17:36:09 GMT

A number of high profile takedowns, arrests, and prosecutions have occurred throughout the year. As I predicted for 2012, we have witnessed a tremendous amount of pressure towards the people behind computer attacks. More focus is being placed on interdicting and removing the threat-agents, the term for archetypes of attackers, instead of just addressing the vulnerabilities exploited by their attacks. Targeting the culprits behind computer attacks effectively cures the root cause instead of just treating symptoms. Individuals and groups were pursued by law enforcement agencies, security firms, and internal response teams worldwide. It is emerging as an effective and necessary practice which continues to gain momentum.

Recently, US Justice Department officials announced they will pursue criminal charges against threat agents sponsored by other nations. This is huge. It will expand the scope and depth of worthwhile investigations in areas holding the greatest potential for loss. Although laws have been in place since 1996 to protect from economic espionage, it has largely been ignored, partly due to the difficulty of proving foreign government collusion, political ramifications, and also due to the complexities of presenting a solid legal case.

With sufficient numbers of properly trained prosecutors, it may be possible to bring enough cases to into public view to have a sufficient impact and drive change. Optimally, public awareness and support is critical to address political hurdles and approve necessary funding for future prosecutions. Knowledge by current or prospective threat-agents promotes deterrence and a stigma of wrongdoing for those who are impressionable and may see such activities as attractive. Lastly, successes in prosecution will show other regional and international law enforcement agencies that this is a problem which can and should be tackled. With a growing list of successful cases, it promotes the necessary legal infrastructure and expertise to make the process more efficient. All this adds to a stronger capability to remove the elite and upcoming talent who choose to leverage technology in malicious ways at the detriment of others.

Here are some of my favorite cases for 2012:

Arrests against the international Butterfly Botnet crime ring, responsible for over 11 million compromised computers and $850 million in losses http://www.fiercegovernmentit.com/story/fbi-announces-arrests-case-international-cyber-crime-rings-linked-butterfly/2012-12-13
FBI "Carder Profit" sting busts people in 12 countries, dealing in stolen credit card numbers. http://tpmmuckraker.talkingpointsmemo.com/2012/06/fbi_sting_carderprofit_cc.php
Microsoft’s Digital Crime Unit (DCU) continues to lead the charge against botnets, with impressive work against Nitol, Kelihos, and Zeus. These guys and gals are my heroes, really. http://www.microsoft.com/en-us/news/presskits/dcu/
An international cyber scam ring was prosecuted, which had used scareware tactics to defraud $71 million by selling bogus security software after infecting systems. http://www.justice.gov/opa/pr/2012/December/12-crm-1503.html
Sentencing of the team behind a shockingly coordinated worldwide banking attack, involving participants in over 280 cities worldwide, who siphoned over $9 million from 2100 ATM's. This involved compromised bank accounts and synchronized ATM withdrawals http://www.fbi.gov/atlanta/press-releases/2012/sentencing-in-major-international-cyber-crime-prosecution

This is just the start. Expect this list to grow significantly in 2013. I am confident as more pressure is exerted on cyber criminals, the threat landscape will thin thus allowing for resources to target those who adapt and attempt to cause the greatest harm. It is the normal cycle of criminals, technology, and justice. I can’t wait to see what interesting prosecution holds for 2013.

The confounding world of information security terms, from Access to Zone of Control

webadmin@intel.com — Mon, 17 Dec 2012 21:46:43 GMT

Communication is incredibly important in the security industry. We must work together, be it small teams, across organizations, or beyond boarders throughout the industry, government, supporting ecosystem and academia. But we have a problem. It has become commonplace to talk past each other with terms a speaker perceives as precise, but audiences interpret in vastly differing ways. In many cases terms can have a multitude of definitions with a high dependency on context. But when the description of the context also contains words with varying or unclear meanings, the problem is proliferated.

It causes enough separation to inhibit conveyance of clear ideas, concerns, and expectations.

To make matters worse, the sheer size of the security vocabulary has grown immense and continues to expand. Listening to some conversations, it sounds like a new language of acronym soup: "The ROSI of the SEIM is highly dependent on the SOC's ability to filter False Positives to track APT's and protect SPOF's from Integrity and DOS Availability attacks. " I am truly sorry for anyone who actually understood that...

Even the hard core professionals get tripped up over terms which may be clear in their mind but not so with listeners. Terms like hacker, Advanced-Persistent-Threat (APT), identity, loss, threat, and even what constitutes an 'Attack' can differ greatly. One of the most overused and inconsistently defined term is 'virus'. It has become a catchphrase and conglomeration of negative events, computer code, and a moniker for vulnerability. If you asked twenty people to define 'virus', you would likely get twenty-one different answers. It did at one time, have a very specific definition. It was a type of code which injected itself into other code or processes and replicated. But today it tends to be used as a term which covers all manner of malware, including Trojans, bots, droppers, worms, spyware, sniffers, loggers, backdoors, spyware, ad-ware, Potentially-Unwanted-Programs (PUP), etc. Some of which are actual categories of code, while others are simply descriptions of how or what that code does. A blurry line of delineation to be sure and all of which actually have their own definitions. It can be all so confusing and we in the industry are not helping the situation. Does anti-virus software only target viruses? No, of course not. But we cannot be more articulate, at the risk of confusing everyone even more!

The industry is hobbled by an inability to consistently and effectively communicate. So, with a big round of applause and gratitude, I want to thank those hard working folks at NIST. NIST has been busy, very busy. They have released the second draft of their Glossary of Key Information Security Terms. An impressive listing of technical and general industry terms, covered in over 200 pages. It is a sizeable document, defining terms from Access to Zone-of-Control. But sadly, it is not even close to a complete reference for computer security vocabulary. The NIST glossary focuses on aggregating the terms and definitions of their library of documents. It is not intended to define terms for the whole of security. Acronyms and expressions like ROSI (Return on Security Investment), Crossover Rate (the point where False-Positives equals False Negatives, also referred as the Crossover Error Rate), SOC (Security Operations Center), and CERT (Computer Emergency Response Team) won’t be found in those pages.

So how big is the computer security vocabulary? It is a bit scary to ponder and doubtful anyone knows for certain. But until someone comes out with something better, I am adding this to my reference library. In the end, we must all struggle to communicate effectively. Defining common terms goes a long way to make our security industry stronger.

Intel Goes with Windows 8

webadmin@intel.com — Fri, 14 Dec 2012 17:30:05 GMT

After evaluating Microsoft Windows 8, we have chosen Windows8 on Intel Architecture as the standard operating system for Ultrabooks and tablets in our enterprise environment. We are excited to use this totally new operating system on a variety of devices, especially those that include touch.

Windows 8 will enable IT to deliver a flexible, positive user experience. It provides greater mobile productivity and the user experience our employees crave.

The response of the early users of Windows 8 in our environment has been very positive. We are moving ahead. By mid-2013 thousands of Intel employees will be using Windows 8.

Follow me on Twitter @kimsstevenson.

AV is Not Dead

webadmin@intel.com — Thu, 06 Dec 2012 17:45:15 GMT

Recent stories in the news imply Anti-Virus (AV) is dead. A longtime staple of security managers and consumers, AV and more broadly, anti-malware products are a pillar of the security industry. Could all our investments, preconceptions, and efforts be worthless? Rest assured, the sky is not falling. The “Anti-Virus is worthless/dead” mantra has been around for years. Yet the anti-virus/malware industry is alive and thriving, with good reason.

The world of computing is a dangerous place. Client systems, such as PC’s and more recently smartphones, are under constant pressure from new malicious software. To date, about a hundred million different specimens of nefarious code are in the wild and ready to pounce on their next victim. Those numbers continue to increase by tens-of-thousands of new malware emerging daily.

Most of the security industry embraces anti-virus/malware protections resident on their devices, to resist the persistent onslaught of malware developers. Even consumers, typically not savvy in security matters, recognize the value of AV in protecting their devices and data. In most managed environments, anti-malware controls are leveraged across the networks and back-end servers, in addition to client systems.

Over the years, a very small community has voiced opinions that AV is dead or worthless. They hold the position client based anti-virus and anti-malware are ineffective at protecting systems. They run tests against small samples of new malicious code or show how some systems still get compromised even when benefiting from AV products. Year over year they speculate how traditional AV methods can’t keep pace with the increasing malware being introduced and it is on the verge of collapse. Like doomsday predictions, they keep coming.

I believe this is an extremist position and in many cases, putting forward a misleading straw-man argument. The false-logic goes something like this:

Longstanding position of the security industry: Anti-Virus/Malware provides important protection of systems against malicious code
False-logic counter argument: Anti-Virus/Malware does not provide total protection and a system could be infected with malicious code, therefore AV is not worthwhile and dead (or soon will be)!

Don’t fall for the hype. Here is the real scoop. Anti-virus/malware solutions are one of many different security controls. It is not an impervious shield, just like all other potential protections are not perfect solutions. These tools do provide a great deal of protection but should be used in combination with other controls. In security parlance, it is called Defense-in-Depth. No one tactic or tool will suffice. The attackers are just too many and too smart for a single control to work across the board for any meaningful period of time.

More reasonable people in the past have also weighed in on the value of AV and in some cased they have chosen to rely on other compensating controls. But their message is different than “AV is worthless”. They see AV as one of many different options which can manage security risks. They are savvy enough to choose the right set of interlaced solutions which achieve the desired level of security for their specific computing environment. This can be misconstrued when it is not understood. In the end, they are still applying a defense-in-depth methodology.

Why would a security professional choose not to deploy Anti-virus/malware on clients? Well, in some delicate, isolated, or sensitive environments AV may not be a viable option. Products may not support the hardware, software or operating systems, be cost prohibitive, invalidate system or maintenance warranties, or be unacceptable from a performance perspective. Instead, other security controls may be employed which compensate for this deficiency. As far as I have seen, these tend to be limited to small parts of corporate environments. For most systems which connect to large networks and the Internet, anti-virus/malware makes practical and economic sense.

Evaluating controls and implementing the right combination has been at the very heart of computer security from inception. Time and again, anti-virus/malware has been chosen as a valuable contributor to the mix. This will likely not change in my lifetime. Rest assured, akin to what Mark Twain said, I say the death of AV has been greatly exaggerated.

Time machine sampling for the “AV is dead” concept:
2012 report: Antivirus Software a Waste of Money for Businesses, Report Suggests

2012 article: Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results
2010 article: Is Anti-virus Dead – The answer is YES. Here’s why…

2009 article: Experts only: Time to ditch the antivirus?
2009 venerable Bruce Schneier’s blog: Is Antivirus Dead?

2008 article: Signature based antivirus is dead: Get over it

2007 article: Is desktop antivirus dead?

2006 white paper: Anti-virus is Dead

And finally, here is my own blog post from 2010 showing hard numbers of effectiveness for AV: The Hard Truth of Anti-Virus.

Cyber security Hunter teams are the next advancement in network defense

webadmin@intel.com — Wed, 28 Nov 2012 15:52:17 GMT

Hunter teams are emerging as a new tool in the world of cyber defense. Computer security continues to improve and evolve of overtime. One of the latest practices gaining momentum is the use of cyber security “Hunter teams”. Differing from how standard security operations function, hunter teams fill an important gap and push us one step further on the evolutionary ladder of cyber security. They are cyber-investigators which enhance an organization’s capabilities by supplementing the overall defense from persistent attackers. They are typically a group of bright, experienced, talented, and motivated professionals which work together to detect, identify, and understand an advanced and determined threat agent.

Hunter teams approach threats in a personal way. They seek the human origins of attacks and focus their attention on disruption or removal of those threat agents, instead of the attacks themselves. In simple terms, they target the attackers.

These hunter teams are sprouting and taking root in many different places. Anti-malware companies, research organizations, and internal security departments have begun to embrace looking for the attackers. Investigation teams, including cyber guns-for-hire which are brought in after the fact when serious breaches are detected, are also looking for the people behind the attacks. However, it has been the military and sensitive government organizations which have been most vocal in recruiting for hunter team talent. They have the long history of knowing the value of identifying the enemy and have been quick to embrace this practice and are serious in making it successful.

Hundreds of years ago Sun Tsu penned the authoritative tome on warfare strategy. One of its pillars is to know your enemy. A key to conflict is to understand that attacks are simply a method for the threat agent to achieve their objectives. An active defense not only shields against attacks, but also targets the attackers. Those people who would do you or your mission harm. Take the attackers out of the equation and the attacks also go away.

Hunter teams play an important role, different than standard security operations staff. In the past decade, we have seen the rise of security operations centers (SOC). Security operations departments are typically configured, resourced, and driven to contain attacks and remediate to a state of normal operations. They are in a continuous cycle of fixing the symptoms and tweaking the defenses so the organization continues to operate in a stable and expected manner. It is a never ending struggle which works best against the flood of broadly sweeping attacks on the internet, which look for any target of opportunity. In most cases, SOC’s are only interested in attacks which undermine the operational performance and value of the environment under their protection. They are well suited to tackle ordinary malware infections or plug understood exploit activities by using industry best-known-practices, but can easily falter when faced with something unique and specifically targeting only them. They are by design inwardly focused, limited to a technology sandbox of security control configuration or fixing assets within their internal environment.

Hunter teams take a different approach and seek the root cause, namely the threat agent themselves, who are initiating one or more attacks. This may be internal or external to the organization. Not satisfied with simply undermining the latest infraction, they want to quell the problem at the source and eliminate future attacks from the same threat agent, whom may possess the ability to coordinate completely unique and unpredictable maneuvers.

History shows why this is important. Attackers maintain the combat initiative and determine where, when, and by what method an attack will occur. Defenders typically respond to attacker’s moves and evolve the defenses to protect against those newly understood methods.

Attackers therefore have an advantage. It takes time, effort, and resources for defenders to recognize they are being attacked, decipher how it is being done, then develop a means to isolate the ongoing breach and block future attacks, and then remediate the affected systems. A threat agent who is determined to attack a specific target can try a number of methods until they succeed. Without threat of themselves being in jeopardy, they can continue varying the assault until they find an approach which works. The only effective way to stop such a persistent threat agent is to dissuade or remove them from the equation. This is where the hunter teams come into play.

Criminal investigators are a good example of the hunter team methodology at work. If someone breaks down a door to rob a bank, the security operations team looks to install stronger doors and maybe a better alarm system. They are inclined to identify and close the vulnerability. A criminal investigator will look to see who is trying to rob banks and target those threat agents. The investigator knows such a robber will continue to evolve their tactics until they succeed. Operations efforts to improve door standards, alarms, etc. are still fine measures which reduce the risk of loss, but the investigator’s role is just as important.

When I managed Intel’s Security Operations Center, I was also the Incident Commander for the company’s IT Emergency Response Process. This is the team that takes charge whenever the company’s computer environment is being attacked. I remember during a virus outbreak instructing the security operations team to track, isolate, and clean infected systems, and then turning to my intelligence section leader and asking him to go forth and determine whether the incident was simply a wild virus finding its way through the cracks or was it a directed attack specifically against our company. The challenge I assigned the intelligence lead was so I could understand if the threat agent was specifically targeting Intel Corp with their malicious attacks or if we were simply caught in a broader net cast with a generic attack. This would help me understand whether it was a fluke oversight in the configuration of our defenses or just the beginning of something far worse, potentially a directed campaign against our security infrastructure.

Cost and scalability limits will constrain their use, but hunter teams are an important step forward for the industry. Cyber security hunter teams have been in limited use for some time and are gaining momentum. The results can be seen in the news. Botnet takedowns, the breaking-up carding rings, shutting down of illegal fraud sites, malware author arrests, and the prosecution of insider theft and sabotage cases are possible because the attackers were targeted. What are not publicized are the equally impressive results which occur quietly in defense of highly protected networks. These teams can be valuable in identifying the root cause of problems, putting the puzzle pieces of seemingly disparate incidents together, identifying the offending attackers, reconnaissance for early alerting, and providing intelligence necessary to interdict and prosecute them. Hunter teams can be a very powerful tool and effective in stopping some of the most grievous threats.

These specialized capabilities come at a cost. In order to succeed, a combination of brilliant talent, tools, support from legal, and in some cases partnership with law enforcement and industry partners/suppliers/customers, is required. It is a significant investment to establish and maintain a team at a sufficient level to see worthwhile results. Additionally, something intangible is needed; patience. Even the most proficient team needs time to hunt and results can vary greatly.

Beyond costs, hunter teams also have a significant downside. They are not very scalable. Most teams work a single case or issue to closure. Some teams can multi-task, but at a great loss of effectiveness. I have been fortunate to be a part of a world class loss prevention team, specializing in detecting, tracking and prosecuting threat agents. When on the hunt, teams are narrowly focused. Timing is critical. Proficiency matters. Splitting attention to a multitude of separate cases is a recipe for disaster. Compared to security operations teams, which can much more easily multitask and close issues with great speed, hunter teams seem to move in slow motion. But what they lack in the quantity of case closures, they can make up for in results. Overall, the high costs and the lack of scalability are tall barriers which prevent widespread adoption.

Certain organizations, where the cost and scalability headaches are worth the additional security capabilities, should consider the use of hunter team’s. Environments where assets are targeted by persistent, creative, and resourceful threat agents, seeking explicit objectives, from a specific target will benefit the most. Identifying and understanding these dangerous and capable adversaries, who seek to undermine your security controls and compromise your environment, is an important step in countering massive potential damage. This is not important to most, but for those organizations which are under the pressure of being targeted directly by skillful and motivated threat agents, hunter teams are a viable and attractive option. I strongly suggest financial, defense, sensitive government, and high profile critical infrastructure organizations look into using them. Additionally, I urge security providers and consulting firms to evaluate offering professional hunter team services. The demand over time will continue to grow.

Hunter teams are a necessity in the evolution of cyber security. They are a pivotal step forward, applying desired pressure to attackers. Yet, they are not the final state. We will continue to evolve the practices and technology of targeting threat agents into something more scalable, affordable, and effective. But for the time being, I welcome hunter teams to the playing field. It is about time you showed up. We really need you. Happy hunting!

Inside IT: The Evolving Role of IT

webadmin@intel.com — Tue, 06 Nov 2012 18:53:43 GMT

It’s the essence of this podcast series – the change of IT’s place in the organization, and the role IT plays in relation to all the business units in the company. In this episode we wanted to turn to someone with a long-term view of the evolution of the IT organization, Kumud Srinivasan. She was recently named the next president of Intel India, one of Intel’s largest non-manufacturing sites outside the U.S. At the moment, Srinivasan leads IT’s 1,000-person Silicon, Software and Services organization. In all, she’s been with Intel for a quarter of a century. I was fortunate enough to get some time with her before she transitioned into her new role. It was a fascinating conversation to be a part of. To hear from someone who really has first hand knowledge of so many changes IT has undergone. For me, she brought a renewed excitement for the next phase of evolution Intel IT will be entering into. In this podcast, we focus on how Information Technology became such an essential part of the enterprise, and how IT’s role continues to change. You can listen here.

McAfee 2012 FOCUS security conference is a success

webadmin@intel.com — Fri, 26 Oct 2012 16:41:47 GMT

Every year, McAfee hosts the FOCUS security conference to pull together its customers, partners, and industry leaders. The conference informs and educates attendees on the latest threats, trends, best-known-methods, and showcases McAfee's new technologies and services. This year's conference was another grand event and success, with a 20% attendee increase over last year, two keynote speeches, and over 70 targeted, highly technical sessions organized into 14 tracks.

The first day focused heavily on technologies and how the threat landscape is manifesting new types of attacks. Mike DeCesare, co-president of McAfee, and Michael Fey, McAfee CTO, did a wonderful job of outlining McAfee's strategy and how it aligns to legacy and emerging attack methodologies. DeCesare clearly showed how McAfee’s acquisition by Intel is paying dividends with the integration of Intel/McAfee technology, resulting in DeepSAFE/Defender and an ePO-vPro AMT extensibility. Fey and his team did a real-time demonstration of how new malicious malware continues to evolve and is a real threat, by showing the audience a new critical level Denial-of-Service takedown of a PC, MacOS, and Android system. They explained how the DeepSAFE/Defender product could prevent such attacks and how ePO with Intel vPro AMT technology can recover PC's remotely without the need of a physical touch by a technician.

On day-2, Mike Fey announced a new strategy to advance both the capabilities and economic automation of security controls through a more comprehensive and open ecosystem. It will leverage the vast McAfee GTI sensor cloud to identify tactical opportunities and advise customer environments, which can benefit at their discretion, by instituting local rules and even share their data to 3rd party services for advanced analysis and management. This will finally allow customers finer control of risk decisions for their environment, based upon near real-time intelligence gathered worldwide, to rapidly institute and easily maintain technical rules which may be inappropriate at larger scales or for broader communities, but fit perfectly for their local environment and risk appetite.

On the technology side, what was talked to last year with great anticipation, was shown in practice in this year's conference. In one of the most attended technical sessions, a team of Intel and McAfee speakers showed the architecture and spoke to the benefits of Deep Defender. In the past year, Deep Defender has become available and activations have been aggressive. Audiences were impressed with the capabilities and game-changing potential of this exclusive offering.

Deep Defender and other DeepSAFE technologies represent a disruptive change in the balance between how attackers and defenders interact. It has the capability of shifting the initiative to defenders, forcing the attackers into an undesirable position of responding to innovative detection and response technology. This is very good news for McAfee customers benefiting from the Deep Defender.

For those who explored the trade show floor, they were able to catch a glimpse of future Intel/McAfee technologies which may come to market. Demonstrations of secure boot technology, secure storage, virtualized IPS, secure video/audio, and others were available with lab folks to discuss the potential.

Overall, this year’s McAfee FOCUS conference was great investment of time for customers, partners, technologists, and security veterans. I can’t wait to see what next year’s conference has in store.

What a difference a few months make - Intel IT Mid-Year Report

webadmin@intel.com — Fri, 14 Sep 2012 18:33:44 GMT

What a difference a few months make. I’ve been Intel’s CIO for the past 8 months—a long time given the speed at which the business and IT are changing. This became obvious in preparing our 1st mid-year report. Annual reports no longer seem sufficient. In our report, you’ll find insights, lessons learned and the results we are striving for as we collaborate with Intel’s business units to drive business growth, employee productivity, and efficiencies across Intel.

Here’s a glimpse into some of the content included in the mid-year report:

How the development of advanced business intelligence solutions across Intel is yielding significant business results in the areas of manufacturing, security, sales and marketing and product design.
How the deployment of Intel’s first open source private cloud is enabling us to advance our cloud beyond compute IaaS and deliver services faster and cheaper.
How our BYOD program has helped Intel gain 2.75M hours of employee productivity in the past 6 months.
How social media techniques like crowdsourcing and gamification are providing insights into improving Intel, advancing our business and developing new products

Culture change is another big focus for the leaders in IT. With the landscape changing all around us, we are focused upon building a culture of “possibility thinking” across IT, one where our employees challenge the status quo, take informed risks and use disciplined collaboration to drive changes into the environment and innovate (see the story about ‘IT on the Go’ vending machines that dispense PC peripherals).

I invite you to check out Intel IT’s mid-year report online and please don’t forget to share your thoughts and insights with me here or connect with me on Twitter, @kimsstevenson.