Blog Posts From Open Port IT Community Tagged With threat

Enterprises Security Choices and Tradeoffs for BYOD

webadmin@intel.com — Mon, 13 May 2013 19:34:26 GMT

Bring Your Own Devices (BYOD) continues to gain momentum as users bring devices into work environments by the droves. Enterprises must make tricky security decisions to balance the tradeoffs of costs, user productivity, and security.

BYOD is effecting organizations both large and small. In our highly connected world, workers bring in familiar and favored smartphones, tablets, and other compute devices into work and expect to leverage them for convenience and to improve productivity. It can have a great positive effect on the business but also raises security concerns. Management can’t hide from taking a position, establishing boundaries, and understanding the tradeoffs.

In today’s responsible corporate environment, enterprises realize the danger of uncontrolled devices on their network and accessing business data. It introduces chaos to security and IT manageability, driving up risks and expenses. Organizations want to enable productivity of employees but must maintain a level of acceptable risks and keep costs flat, or at the very least justifiable. It is a tough balancing act between risks, costs, and user productivity.

Management has a number of high level choices, each with pro/cons and other tradeoffs. Before committing to a particular path, leaders must understand these options in order to select the best direction to set for their organization:

1. No personal devices allowed. Forbid personal smartphones, tablets, and non-managed computers from accessing work systems, networks, and data.
Pro: This stratagem manages security risks and keeps costs relatively flat. It has been the traditional solution.
Con: Not practical for 99.9% of the world. It’s like trying to hold back a tidal wave with a paper cup. Workers, starting with the tech savvy, will bring in devices and connect them, soon to be followed by the rest of the staff. Most likely they and the less technical community has already been doing this for some time. It starts with email forwarding, access to work calendars, meeting logistics, file sharing, instant messaging, etc. Implementing such a policy ignores the opportunity for significant worker productivity gains and stifles flexibility which is so desired by everyone. When employees have convenient access to such data, they are more effective, efficient, and happy.

2. Company provides mobile devices. Providing corporate managed devices in lieu of employees’ personal devices, allows vetting of systems before they access work networks and data.
Pro: Security standards, selective deployment, and the ability to enforce controls, allows the organization to manage risks and costs.
Con: Upfront expenses are high, user happiness tends to be low, and manageability costs slowly creeps up over time. The out-of-pocket equipment and service costs can be very expensive. To control costs, most organizations will not provide everyone a company device. So there emerges a “have” and “have-not’s” class system which spawns resentment. Those who are provided devices must manage their personal devices in addition to the company provided ones. If you have ever been forced to carry two phones, you know how much of a pain this becomes.

Even in a perfect environment with happy users, a different problem emerges. The comingling of personal and private data on employer managed devices. This can be a nightmare, fraught with legal and ethical pitfalls.

Each class, brand, and even model must be configured and secured. IT departments must support users trying to access services and data. The more types of devices, the more complex and expensive the support becomes. One of the keys to managing support costs is scalability. So, it is normal for an organization to settle on one or two to start. Which will not make everyone happy as people have their own preferences. Demand can grow to expand the list of supported configurations, especially as new options become available in the marketplace. Expanded support is great for users, but a nightmare for IT as it increases the legacy support of older configurations which are still in use. Over time the cost to support will steadily increase and the cost of refreshing old and damaged devices will be ever present.

From a productivity perspective, users get an initial boost from the latest equipment and software, but will soon see a degradation as the organization cannot keep up with the latest features coming to market.

3. BYOD of Any Device. All devices welcome with open arms! Users are able to bring in, connect, and use their favorite devices. Security controls are usually network based or via containerization technology on the device itself.
Pro: Initial hardware costs are very low for the organization, as the user absorbs initial out-of-pocket costs for the device. Productivity remains high, as users will continually install latest applications and refresh to current hardware as they see fit.
Con: Expensive to manage and secure. Costs skyrocket to provide and maintain security controls and connectivity support over a wide swath of different devices and applications. Security solutions, many with a high per-seat cost, is required. Not all devices are created or configured equally, adding to the cost and frustration of IT and security departments. The expenses continue to increase and never plateau as users follow the non-stop march of evolving technology, applications, and shiny devices

Challenges with co-mingling of users private data with enterprise oversight can still persist depending upon controls and access configurations

4. BYOD of Certain Devices. The middle ground, allowing users to front the initial costs and enterprises can focus on security and management of a much smaller subset of devices. Network, cloud, and device containerization technology provide security.
Pro: Low initial costs as users purchase the devices. It is a flexible model where the optimal balance of cost, productivity, and security can be adjusted as needed.
Con: Still costly, as the enterprise must invest in security solutions for allowed devices, but policy will limit the number of configurations and therefore help keep costs and risks more manageable. As new devices are supported costs will rise due to legacy support and other complexities. Security is managed based upon the vetting and controls mandated for approved configurations.

Productivity varies based upon the breadth and timeliness of support for new technologies. Satisfaction and productivity also follow this curve. The more devices and applications supported in a timely manner, the happier and more productive the users, but the costs skyrocket accordingly.

Sadly, the pesky problem of data comingling is still present.

There is no universal winning choice. It really depends on the organization, risk appetite, budget, worker productivity needs, and the sway of the most vocal users. A very small number of organizations can disallow all personal devices, mostly government types. Only companies willing to spend a tremendous amount of money on hardware or those which already have a strong caste systems to support a limited distribution will be interested in providing workers with such devices in addition to primary work PC’s. Organizations which have little need for confidentiality, integrity, and availability aspects of security might be able to live with openly connecting any BYOD their users may bring into the office. Although a significant number of organizations may try to dabble in this area before realizing the rapidly growing support costs and security issues before changing to a different strategy. In the end, I believe the majority of organizations will choose to embrace the last option of supporting only certain BYOD devices. They will select a mix of devices, software, and controls which satisfy a broad community while keeping costs and risks predictable. This is no small feat as these solutions are not yet mature.

Every organization must find their own path. They must consider the options and tradeoffs of costs, productivity, and risk. No perfect solution exists, but with forethought, collaboration with users, and solid execution, a manageable solution might be within grasp.

Information Security – it’s not only about the technical controls!

webadmin@intel.com — Thu, 11 Apr 2013 20:49:41 GMT

Security means many different things in different contexts. With Information Security, it should be about protection of an asset from a known threat. But many times there are biases to security solutions based on controls that are predetermined. The most important questions that should be asked before the how part is defined for a security solution are;

Why is there a need to establish security? It’s an important premise that you determine the value of information to your organization and to your adversaries.
Secondly, who are you protecting this information from? If one is to protect something, one has to identify what the threats are, so as to take appropriate steps to mitigate them.
Thirdly, protection or prevention is one aspect of security controls. Considere detective and corrective mitigating controls addition to preventative mechanisms that could fail.

Because of biases in specialty areas, there could be a tendency to emphasize specific technical controls in defining a security solution. This leaves a great deal of ambiguity and more fuel for fear, uncertainty, and doubt that plagues the field of protecting computer information systems. And as Matthew Rosenquist described in one of his blog posts last year when asked for one word to describe the biggest challenge in information security these days, he used the word ambiguity. While many security researchers are trying to find the latest security flaw, other security professionals are trying to determine how the next security tools provide better technical protection capabilities. But it’s important to realize that information security is not only about the technical solution, it should be a business decision first.

Information Security is not only about technical threats and so technical security controls should not be the first consideration for protection. Technology is often among several other countermeasures used to implement a security solution after defining what it is that needs protecting and from whom it needs protection. This is where administrative controls should be considered first so that the definition of what needs to protect can be defined through procedural controls. Some industries have policies, standards and guidelines that must be followed based on the type (classification) of information, but risk should be evaluated based on threats in context of the environment for which the information made available through processes, transferred, stored, or destroyed. A defense-in-depth strategy should be considered during the earliest stages of the development lifecycle but oftentimes there are changes to the environment that are made well after the deployment of a system or software solution that can introduce risk from new threats or greater exposure to existing ones. Before administrative controls are defined, a risk assessment should be completed to analyze the threats for which any system is vulnerable to.

The real value of a risk assessment is that some systems may process information that is not under industry regulations for protection but still have value to an organization. In many cases an organization will focus on risk from audit failures and apply most of the security dollars to mitigate risks defined by audit report because information classification levels require regulatory protection such as Sarbanes-Oxley Act (SOX), PCI Data Security Standard (DSS), or Health Insurance Portability and Accounting Act (HIPAA) just to name a few. But information of value does not only fall under classifications that have industry standards for protection levels. The risk assessment is a way to have dialog amongst the team and is helpful to communicate with management across the board for all information protection requirements becuase ultimately it is a business decision to implement security controls. Additionally, security controls can be protective but detective and corrective security controls should always be a consideration for a Defense-In-Depth security strategy. One strategy that is taking a more reasonable approach to increasing the level of information assurance is the focus on the threat rather than the vulnerability through the use of a Threat Agent Risk Assessment methodology developed by Intel. This approach places emphasis on what is reasonably possible from a threat perspective in order to address the most likely events.

Security Does Not Need to be Complex to be Effective

webadmin@intel.com — Mon, 08 Apr 2013 18:12:39 GMT

Even a 10 year old little girl can prove this fact:

A 10-year-old girl thwarted an abduction attempt after asking a stranger for a code word that he did not know.

A man approached a 10 year old girl outside a public school and attempted to lure the girl into his vehicle. The man told the girl her parents had sent him to pick her up. But the girl and her parents had setup a shared secret code-word for anyone authorized to pick her up from school.

The girl asked for the code word but the suspect got it wrong. She told him it was incorrect and he drove away.

I applaud the parents for a job well done in implementing a simple and effective security solution and to the little girl who deftly executed to it, likely without the need of understanding the grim impacts of failure.

In the security and technology industry, we can learn volumes from this encounter. First, a security savvy person is far more effective than a stack of technical security controls. Second, complexity does not guarantee effectiveness. In fact, simplicity can be more cost efficient and easier to implement. An elegant solution, is one which is accepted, applied, and delivers the preferred result.

As security professionals, we have an opportunity to meet these requirements to deliver an optimal solution through a marriage of inherent human and technical considerations. We must not forget, computer security is a combination of both. The very best solutions enhance the user’s ability to be secure without being cumbersome. Pure elegance.

Poor Security Policies Lead to Disastrous Customer Service

webadmin@intel.com — Fri, 25 Jan 2013 18:13:03 GMT

Security is about preventing loss. But be careful, as instituting poor security policies can drive away customers and impact your business.

This is a story of how a financial institution is doing security wrong.

I have been a customer of a local credit union for nearly 40 years. It has a few branches, online services, and prides itself on customer service. My account was open at a very young age and had since moved away but always kept my account active and enjoyed a number of the financial service offerings over the years.

The problem began in a benign manner. I recently moved and was changing my mailing address with my various financial, health, and business accounts. In today's web-centric world, it is pretty easy to accomplish. In every case except one, I would login to the organization's website with my credentials and provide my new address. In some cases I would have to provide additional information for verification, but the process was smooth. They quickly followed up with an email notification or a card in the mail at the previous address as a measure to detect fraudulent submissions.

Then came my credit union. Their website requires a User ID, password, and additional validation of challenge-response questions if connecting from an unrecognized or public PC. It even sports an anti-spoofing feature where an image previously selected by the customer is provided as part of the login. All wonderful security measures which I applaud. However, it lacks a friendly user interface to edit profile details. With no obvious way to change my mailing address online, I called the support number and was informed I needed to write a letter requesting a change of address, provide my account number, and signature, and send it via US mail to their offices for processing. Although inconvenient, I followed the instructions.

A few days later I received a voicemail at my home number, which was on record with the credit union, and was informed they received my written request but didn't believe my signature was authentic and therefore declined my change of address. What?

I called again and at their request provided my account number, date of birth, and last four of my social security number, home phone, email address, and mobile phone number to validate my identity. After providing all that was requested in addition to details about my account history which would not be on any recent statements, I explained my issue to the supervisor in charge. I was informed they could not readily locate my written request but reassured me it should be around somewhere and instructed me to either come into a branch, which is nearly 2 hours away, or photocopy my driver’s license and fax it in.

No.

I refused to be a part of such "security theater" (as Bruce Schneier would say). I asked why all this is necessary to change my mailing address? With the information I provided on the phone or necessary to login online, I can electronically transfer funds to external accounts, receive a personal loan, reset passwords, request checks, and change all other contact data in my profile. Why the elevated security for a mailing address change?

Here is my favorite part. The supervisor, in his best authoritarian voice told me it is for my protection, that I probably wouldn't fully understand the security risks, and that is was 'required by law'. When I told him I am a security professional of 20 years, have consulted banks, and work as a computer security strategist for one of the most prominent companies in technology, his voice went soft. I explained how the additional controls provided no appreciable value and how the rest of the industry follows more rational practices. I challenged the representative to identify the regulatory requirement, because none exists which specifies a written and signed request or photocopy of a state identity as necessary to fulfill a change of address request on a basic consumer financial account.

In the end, we came to the obvious conclusion he was simply following the company's security policy, one created with the best of intents, but lacking both insight and effectiveness to reducing the risk of loss. It is in fact counter-productive, causing frustration on behalf of the customer and consuming employee resources for no appreciable risk benefit. Regardless of the absurdity, as good employees, they are bound to adhere to it. I don't fault them, rather the management who instituted the ill-advised policy. We were at an impasse, my stubbornness against their policy.

As I am a fan of economic models and democracy, I have chosen to vote with my wallet. I abandoned my goal of an address change and instead asked for two things. First, to close my account. Second, to provide me with the email address of the CEO.

I deal daily with the security industry and ecosystem. I have found in many cases the CEO's and CISO's are insulated from some of the choices they make and unaware of potential side effects of their security policy. The best management hunger to know of issues and is always looking to optimize their security practices. With this in mind, I wrote a friendly note which I emailed and also hand delivered (when I visited in person to close my accounts) to the CEO of the credit union to help in his awareness. Although he has not responded, I still have hope good security practices will prevail for the benefit of the remainder of his customers.

The lesson here is security controls must be consummate with the value of what is being protected. A proper, efficient, and effective security policy is a powerful tool in the hands of capable employees. But at the same time, poor security policies can have a detrimental effect on customer service, resources, and the business's bottom line.

Beware of policies which provide no additional level of security. It does not make sense to require extra hurdles to protect less critical assets. In this case, current phone and online verifications, sufficient for more sensitive transactions, should have sufficed for a change of address. As an extra measure, consider a post transaction notification via mail, phone, or email, which is the accepted standard.
Superfluous policies create inefficiencies and more unnecessary work for the employees and customers. There is always a cost to security. Squandering resources due to poor security policies is not good use of time, customer's patience, and employee effort.
Any policy which unduly hassles customers, delays services, and potentially exposes private information to unintended parties should be revised. In this case, with the wrong address on file, upcoming tax documents would be sent to an address not that of the customer. Such policies must consider that 'failing-safe' may require a change in status-quo. Additionally, in this case, the policy called for the creation of more unneeded documentation with account information and potentially a photocopy of government issued identification (which likely would also contain unneeded personal information), and the apparent inability to manage the storage and destruction of aforementioned paperwork. Policies should not exacerbate or complicate identity and data situations.

Instituting the perfect security policy is difficult in every industry. We must however keep our eyes open and understand the unintended consequences in order to learn and adapt. An optimal security policy must align to the risk-appetite of the organization, meet legal requirements, and fit within cost considerations without jeopardizing the critical services to customers. When it fails, either too overbearing or too weak, it can fail big. I hope other organizations can learn from the viewpoint of their customers and the lessons of their peers. This is a learning opportunity for all.

I have intentionally omitted the name of the institution and parties involved, as they are not important.
..if the CEO does respond, I will update this blog and even post his response if he grants permission.

Top 10 Security Predictions for 2013 and Beyond

webadmin@intel.com — Thu, 03 Jan 2013 17:04:49 GMT

It has been an exciting and eventful year in the world of computer and information security. As I look back through the stack of articles, conference notes, political and regulatory wrangling, technology winners and losers, and most captivatingly, the behaviors of the attackers, I find myself giggling like a schoolboy. It is truly a wonderful time to be in this industry. We certainly live in interesting times.

As the chapter of 2012 has come to a close and the blank pages of 2013 open before us to be written, it is time once again to look into the future and predict what the next 12 months hold for the cyber and information security domain. Based upon nailing last year’s predictions, I believe I have earned consideration to wear the turban of Carnac the Magnificent.

…which as I think about it, may be a reference which most readers may not get: Johnny Carson, The Tonight Show. Oh, never mind. I am old, go Google it.

Many aspects of security will continue to hold true. Malware will increase, vulnerabilities will be discovered, systems will be hacked, patches will be issues, fraud and loss will be rampant, stories will be sensationalized, victims will cry, attackers and defenders will get better, legislatures will demand action, and the citizens will be aggressive in expressing their opinions and asserting their rights. Certain characteristics of security are persistent. These are pedestrian predictions. They go without saying. Above and beyond those are my security predictions for 2013 and beyond:

Top 10 Security Predictions for 2013 and Beyond:

The devastating Internet-infrastructure Cyber-DOS attack, will NOT happen!
Fear mongers relax. The debilitating Denial-of-Service of our precious Internet-of-Things will not happen, at least in 2013 and likely not for some time, if ever. The only real chance of this is if an all-out war broke out between major technology-vested countries. When troops and tanks roll, all bets are off on the potential for collateral damage in the cyber world. Short of that, an elaborate attack to do irreparable harm to the Internet is just not likely. Those who can, rely upon it themselves. Those who want to destroy the evils of the Internet, likely do not have the ability to succeed. It is a stalemate. Targeted attacks may occur, but the great “Cyber Pearl-Harbor” is just not realistic.

But what about the rapid advances of nation state cyber warriors and technologists? Heavily financed, well resourced, and highly motivated to fight and win in the cyber battlefield? Well, here is the real story. Any professional investigator, military strategist, or intelligence operative worth their merit, will tell you the goal is to compromise a command, communications, and control network. Not to destroy it or take it offline, but rather to conduct surveillance, gather intelligence, and then use it in ways to undermine and target the enemy. The last thing you want to do is take it offline! The professionals know this. It is the amateurs who launch DOS attacks, as the pro’s play a smarter game.
The real target for 2013 and beyond, are BANKS!
Forget DOS attacks against social sites, vulnerabilities in toasters, lost health records at the local clinic, and data compromises at NASA. The real targets are banks. Professional criminals and syndicates are getting smarter and realizing the Internet is a much better means to achieve financial gains, than the local streets and traditional businesses they play in. With unimaginable wealth sitting just beyond the keyboard, they have the resources to invest in order to seize major scores.

Where are all these riches you ask? Mr. Willie Sutton, an infamous bank robber of the 20’s, would likely tell his compatriots to ‘go where the money is’. Banks. This is how it has always been, as thieves gravitate to where the loot is.

With banks rushing to connect with customers online and via phones, they have underestimated the lurking dragons waiting to pounce. These attackers range from the rudimentary to the highly organized. But the truly dangerous villains are experienced in being selective, stealthy, and planning for multi-million dollar heists and scams. It is happening already and we have seen but the tip of the iceberg. The banking industry needs to wake up. Security must be taken seriously as they expand to reach and service their customers. In 2013, we will see many failures of this. Only those organizations who invest in both superior security leadership and technology will stand confident.
Arrests, prosecutions, and pressure against threat agents will continue go up!
Last year we witnessed an aggressive crackdown on hackers and cyber criminals. Security and law enforcement capabilities, techniques, and cooperation continue to grow and improve. Tangible success in security reinforces investment. This momentum will accelerate in 2013 and we will see many of the less savvy players brought to justice. Expect this trend to thankfully continue forward.
Cyber regulations remain inconsistent across borders, vague, and ineffective. But will continue to slowly coalesce.
Politics, economics, social expectations, and regional differences in what is considered an individual’s right will continue to hamper globally adopted regulations. But this is an important and valuable effort, which is the one thing everyone agrees in common. They will continue to slowly align, find tradeoffs, and coalesce for everyone’s benefit. Patience. It will be a bumpy ride with false starts and turmoil, but it will get a little better in 2013, then 2014, etc.
Governments invest heavily in Cyber
Tech savvy governments have no choice. They must now invest in cyber technology to defend their systems, people, privacy, and national infrastructure. Larger governments are investing heavily in offense, defense, detection, infrastructure testing, survivability, intelligence, resilience, SOC/CERT's, Hunter Teams, etc. They will evolve to both establish and defend their online territory and systems. As we saw in 2012, many governments are openly recruiting and establishing centers of excellence for the particular skills necessary to reach out and influence or affect others. In 2013, many such entities will have created and begun training in earnest with viable offensive cyber weapons. Welcome to the fifth domain of warfare. There is no going back.
Regulations increase in depth, breadth, and specificity for high technology
Technology hardware, software, cloud services, mobile devices, and the data collected from all those sensors will come under regulatory scrutiny. It won’t all come at once, but it will come. Privacy, critical infrastructure protection, government systems standards and minimum controls, data aggregation, and remote surveillance will be the first targets for more specific and comprehensive requirements.

Many of the current or first generation government regulations were broad in nature. They are getting more explicit and lengthy. Ever read the NIST 800 series? This is not necessarily a bad thing, but bureaucracy can sometimes be slow to respond to rapidly changing environments. Satisfying regulations is always a start, but never a guarantee of security. In 2013, we will see more required oversight, business practice investigations, clarity in technical and behavioral requirements, and those out of compliance will be penalized.
Mobile malware and attacks increase
No surprises here. Although it falls into the category of blazingly obvious, it still deserves a call-out. The rapid adoption of smartphones worldwide has spawned an insatiable vortex of desire for applications and services. Each an opportunity for attackers. The rush and competition for product releases has left security as a distant bystander. This environment is ripe for rampant malware and attacks. We all will start to see and feel the pain in 2013.
Covert attacks get better, more sophisticated, and tougher to decipher
Amateur night is over. Although the vast majority of malware out on the Internet is basic and well understood, this will begin to change. Sophisticated covert attackers have learned that discovery is the death knell of their malware. They will take innovative steps to stay hidden, be more resilient, survive counter-attacks, and make it much more challenging for security researchers to understand the inner working of future malware.
Innovation rules. Attackers and defenders get better, at a much faster rate than before.
Investment spurs innovation. The world is becoming more connected between people and valuable services. With governments, businesses, and consumers investing in security, the stakes and investment are raised. Both attackers and defenders will improve to counter their respective adversaries with innovations backed by these investments and opportunities. The race will simply get faster.
Patent lawsuits to infiltrate the security services industry?
Patent lawsuits are rampant in the technology sector. Will security become the latest target in 2013? Perhaps. This prediction will come down to economics. I will confidently predict more patents will be filed for security in 2013. Only if a significant paycheck is plausible, will the patent lawsuit community begin to circle. I give this a 50% chance of seeing a security technology patent lawsuit by the end of the year.

There you have it. My top 10 predictions for 2013. Come back in December and we can celebrate together or you can berate me mercilessly. Either way, it should be a fun and interesting 12 months.

2012 Crackdown on Hackers and Cyber Criminals

webadmin@intel.com — Thu, 27 Dec 2012 17:36:09 GMT

A number of high profile takedowns, arrests, and prosecutions have occurred throughout the year. As I predicted for 2012, we have witnessed a tremendous amount of pressure towards the people behind computer attacks. More focus is being placed on interdicting and removing the threat-agents, the term for archetypes of attackers, instead of just addressing the vulnerabilities exploited by their attacks. Targeting the culprits behind computer attacks effectively cures the root cause instead of just treating symptoms. Individuals and groups were pursued by law enforcement agencies, security firms, and internal response teams worldwide. It is emerging as an effective and necessary practice which continues to gain momentum.

Recently, US Justice Department officials announced they will pursue criminal charges against threat agents sponsored by other nations. This is huge. It will expand the scope and depth of worthwhile investigations in areas holding the greatest potential for loss. Although laws have been in place since 1996 to protect from economic espionage, it has largely been ignored, partly due to the difficulty of proving foreign government collusion, political ramifications, and also due to the complexities of presenting a solid legal case.

With sufficient numbers of properly trained prosecutors, it may be possible to bring enough cases to into public view to have a sufficient impact and drive change. Optimally, public awareness and support is critical to address political hurdles and approve necessary funding for future prosecutions. Knowledge by current or prospective threat-agents promotes deterrence and a stigma of wrongdoing for those who are impressionable and may see such activities as attractive. Lastly, successes in prosecution will show other regional and international law enforcement agencies that this is a problem which can and should be tackled. With a growing list of successful cases, it promotes the necessary legal infrastructure and expertise to make the process more efficient. All this adds to a stronger capability to remove the elite and upcoming talent who choose to leverage technology in malicious ways at the detriment of others.

Here are some of my favorite cases for 2012:

Arrests against the international Butterfly Botnet crime ring, responsible for over 11 million compromised computers and $850 million in losses http://www.fiercegovernmentit.com/story/fbi-announces-arrests-case-international-cyber-crime-rings-linked-butterfly/2012-12-13
FBI "Carder Profit" sting busts people in 12 countries, dealing in stolen credit card numbers. http://tpmmuckraker.talkingpointsmemo.com/2012/06/fbi_sting_carderprofit_cc.php
Microsoft’s Digital Crime Unit (DCU) continues to lead the charge against botnets, with impressive work against Nitol, Kelihos, and Zeus. These guys and gals are my heroes, really. http://www.microsoft.com/en-us/news/presskits/dcu/
An international cyber scam ring was prosecuted, which had used scareware tactics to defraud $71 million by selling bogus security software after infecting systems. http://www.justice.gov/opa/pr/2012/December/12-crm-1503.html
Sentencing of the team behind a shockingly coordinated worldwide banking attack, involving participants in over 280 cities worldwide, who siphoned over $9 million from 2100 ATM's. This involved compromised bank accounts and synchronized ATM withdrawals http://www.fbi.gov/atlanta/press-releases/2012/sentencing-in-major-international-cyber-crime-prosecution

This is just the start. Expect this list to grow significantly in 2013. I am confident as more pressure is exerted on cyber criminals, the threat landscape will thin thus allowing for resources to target those who adapt and attempt to cause the greatest harm. It is the normal cycle of criminals, technology, and justice. I can’t wait to see what interesting prosecution holds for 2013.

The confounding world of information security terms, from Access to Zone of Control

webadmin@intel.com — Mon, 17 Dec 2012 21:46:43 GMT

Communication is incredibly important in the security industry. We must work together, be it small teams, across organizations, or beyond boarders throughout the industry, government, supporting ecosystem and academia. But we have a problem. It has become commonplace to talk past each other with terms a speaker perceives as precise, but audiences interpret in vastly differing ways. In many cases terms can have a multitude of definitions with a high dependency on context. But when the description of the context also contains words with varying or unclear meanings, the problem is proliferated.

It causes enough separation to inhibit conveyance of clear ideas, concerns, and expectations.

To make matters worse, the sheer size of the security vocabulary has grown immense and continues to expand. Listening to some conversations, it sounds like a new language of acronym soup: "The ROSI of the SEIM is highly dependent on the SOC's ability to filter False Positives to track APT's and protect SPOF's from Integrity and DOS Availability attacks. " I am truly sorry for anyone who actually understood that...

Even the hard core professionals get tripped up over terms which may be clear in their mind but not so with listeners. Terms like hacker, Advanced-Persistent-Threat (APT), identity, loss, threat, and even what constitutes an 'Attack' can differ greatly. One of the most overused and inconsistently defined term is 'virus'. It has become a catchphrase and conglomeration of negative events, computer code, and a moniker for vulnerability. If you asked twenty people to define 'virus', you would likely get twenty-one different answers. It did at one time, have a very specific definition. It was a type of code which injected itself into other code or processes and replicated. But today it tends to be used as a term which covers all manner of malware, including Trojans, bots, droppers, worms, spyware, sniffers, loggers, backdoors, spyware, ad-ware, Potentially-Unwanted-Programs (PUP), etc. Some of which are actual categories of code, while others are simply descriptions of how or what that code does. A blurry line of delineation to be sure and all of which actually have their own definitions. It can be all so confusing and we in the industry are not helping the situation. Does anti-virus software only target viruses? No, of course not. But we cannot be more articulate, at the risk of confusing everyone even more!

The industry is hobbled by an inability to consistently and effectively communicate. So, with a big round of applause and gratitude, I want to thank those hard working folks at NIST. NIST has been busy, very busy. They have released the second draft of their Glossary of Key Information Security Terms. An impressive listing of technical and general industry terms, covered in over 200 pages. It is a sizeable document, defining terms from Access to Zone-of-Control. But sadly, it is not even close to a complete reference for computer security vocabulary. The NIST glossary focuses on aggregating the terms and definitions of their library of documents. It is not intended to define terms for the whole of security. Acronyms and expressions like ROSI (Return on Security Investment), Crossover Rate (the point where False-Positives equals False Negatives, also referred as the Crossover Error Rate), SOC (Security Operations Center), and CERT (Computer Emergency Response Team) won’t be found in those pages.

So how big is the computer security vocabulary? It is a bit scary to ponder and doubtful anyone knows for certain. But until someone comes out with something better, I am adding this to my reference library. In the end, we must all struggle to communicate effectively. Defining common terms goes a long way to make our security industry stronger.

AV is Not Dead

webadmin@intel.com — Thu, 06 Dec 2012 17:45:15 GMT

Recent stories in the news imply Anti-Virus (AV) is dead. A longtime staple of security managers and consumers, AV and more broadly, anti-malware products are a pillar of the security industry. Could all our investments, preconceptions, and efforts be worthless? Rest assured, the sky is not falling. The “Anti-Virus is worthless/dead” mantra has been around for years. Yet the anti-virus/malware industry is alive and thriving, with good reason.

The world of computing is a dangerous place. Client systems, such as PC’s and more recently smartphones, are under constant pressure from new malicious software. To date, about a hundred million different specimens of nefarious code are in the wild and ready to pounce on their next victim. Those numbers continue to increase by tens-of-thousands of new malware emerging daily.

Most of the security industry embraces anti-virus/malware protections resident on their devices, to resist the persistent onslaught of malware developers. Even consumers, typically not savvy in security matters, recognize the value of AV in protecting their devices and data. In most managed environments, anti-malware controls are leveraged across the networks and back-end servers, in addition to client systems.

Over the years, a very small community has voiced opinions that AV is dead or worthless. They hold the position client based anti-virus and anti-malware are ineffective at protecting systems. They run tests against small samples of new malicious code or show how some systems still get compromised even when benefiting from AV products. Year over year they speculate how traditional AV methods can’t keep pace with the increasing malware being introduced and it is on the verge of collapse. Like doomsday predictions, they keep coming.

I believe this is an extremist position and in many cases, putting forward a misleading straw-man argument. The false-logic goes something like this:

Longstanding position of the security industry: Anti-Virus/Malware provides important protection of systems against malicious code
False-logic counter argument: Anti-Virus/Malware does not provide total protection and a system could be infected with malicious code, therefore AV is not worthwhile and dead (or soon will be)!

Don’t fall for the hype. Here is the real scoop. Anti-virus/malware solutions are one of many different security controls. It is not an impervious shield, just like all other potential protections are not perfect solutions. These tools do provide a great deal of protection but should be used in combination with other controls. In security parlance, it is called Defense-in-Depth. No one tactic or tool will suffice. The attackers are just too many and too smart for a single control to work across the board for any meaningful period of time.

More reasonable people in the past have also weighed in on the value of AV and in some cased they have chosen to rely on other compensating controls. But their message is different than “AV is worthless”. They see AV as one of many different options which can manage security risks. They are savvy enough to choose the right set of interlaced solutions which achieve the desired level of security for their specific computing environment. This can be misconstrued when it is not understood. In the end, they are still applying a defense-in-depth methodology.

Why would a security professional choose not to deploy Anti-virus/malware on clients? Well, in some delicate, isolated, or sensitive environments AV may not be a viable option. Products may not support the hardware, software or operating systems, be cost prohibitive, invalidate system or maintenance warranties, or be unacceptable from a performance perspective. Instead, other security controls may be employed which compensate for this deficiency. As far as I have seen, these tend to be limited to small parts of corporate environments. For most systems which connect to large networks and the Internet, anti-virus/malware makes practical and economic sense.

Evaluating controls and implementing the right combination has been at the very heart of computer security from inception. Time and again, anti-virus/malware has been chosen as a valuable contributor to the mix. This will likely not change in my lifetime. Rest assured, akin to what Mark Twain said, I say the death of AV has been greatly exaggerated.

Time machine sampling for the “AV is dead” concept:
2012 report: Antivirus Software a Waste of Money for Businesses, Report Suggests

2012 article: Is Anti-Virus Really Dead? A Real-World Simulation Created for Forensic Data Yields Surprising Results
2010 article: Is Anti-virus Dead – The answer is YES. Here’s why…

2009 article: Experts only: Time to ditch the antivirus?
2009 venerable Bruce Schneier’s blog: Is Antivirus Dead?

2008 article: Signature based antivirus is dead: Get over it

2007 article: Is desktop antivirus dead?

2006 white paper: Anti-virus is Dead

And finally, here is my own blog post from 2010 showing hard numbers of effectiveness for AV: The Hard Truth of Anti-Virus.

Cyber security Hunter teams are the next advancement in network defense

webadmin@intel.com — Wed, 28 Nov 2012 15:52:17 GMT

Hunter teams are emerging as a new tool in the world of cyber defense. Computer security continues to improve and evolve of overtime. One of the latest practices gaining momentum is the use of cyber security “Hunter teams”. Differing from how standard security operations function, hunter teams fill an important gap and push us one step further on the evolutionary ladder of cyber security. They are cyber-investigators which enhance an organization’s capabilities by supplementing the overall defense from persistent attackers. They are typically a group of bright, experienced, talented, and motivated professionals which work together to detect, identify, and understand an advanced and determined threat agent.

Hunter teams approach threats in a personal way. They seek the human origins of attacks and focus their attention on disruption or removal of those threat agents, instead of the attacks themselves. In simple terms, they target the attackers.

These hunter teams are sprouting and taking root in many different places. Anti-malware companies, research organizations, and internal security departments have begun to embrace looking for the attackers. Investigation teams, including cyber guns-for-hire which are brought in after the fact when serious breaches are detected, are also looking for the people behind the attacks. However, it has been the military and sensitive government organizations which have been most vocal in recruiting for hunter team talent. They have the long history of knowing the value of identifying the enemy and have been quick to embrace this practice and are serious in making it successful.

Hundreds of years ago Sun Tsu penned the authoritative tome on warfare strategy. One of its pillars is to know your enemy. A key to conflict is to understand that attacks are simply a method for the threat agent to achieve their objectives. An active defense not only shields against attacks, but also targets the attackers. Those people who would do you or your mission harm. Take the attackers out of the equation and the attacks also go away.

Hunter teams play an important role, different than standard security operations staff. In the past decade, we have seen the rise of security operations centers (SOC). Security operations departments are typically configured, resourced, and driven to contain attacks and remediate to a state of normal operations. They are in a continuous cycle of fixing the symptoms and tweaking the defenses so the organization continues to operate in a stable and expected manner. It is a never ending struggle which works best against the flood of broadly sweeping attacks on the internet, which look for any target of opportunity. In most cases, SOC’s are only interested in attacks which undermine the operational performance and value of the environment under their protection. They are well suited to tackle ordinary malware infections or plug understood exploit activities by using industry best-known-practices, but can easily falter when faced with something unique and specifically targeting only them. They are by design inwardly focused, limited to a technology sandbox of security control configuration or fixing assets within their internal environment.

Hunter teams take a different approach and seek the root cause, namely the threat agent themselves, who are initiating one or more attacks. This may be internal or external to the organization. Not satisfied with simply undermining the latest infraction, they want to quell the problem at the source and eliminate future attacks from the same threat agent, whom may possess the ability to coordinate completely unique and unpredictable maneuvers.

History shows why this is important. Attackers maintain the combat initiative and determine where, when, and by what method an attack will occur. Defenders typically respond to attacker’s moves and evolve the defenses to protect against those newly understood methods.

Attackers therefore have an advantage. It takes time, effort, and resources for defenders to recognize they are being attacked, decipher how it is being done, then develop a means to isolate the ongoing breach and block future attacks, and then remediate the affected systems. A threat agent who is determined to attack a specific target can try a number of methods until they succeed. Without threat of themselves being in jeopardy, they can continue varying the assault until they find an approach which works. The only effective way to stop such a persistent threat agent is to dissuade or remove them from the equation. This is where the hunter teams come into play.

Criminal investigators are a good example of the hunter team methodology at work. If someone breaks down a door to rob a bank, the security operations team looks to install stronger doors and maybe a better alarm system. They are inclined to identify and close the vulnerability. A criminal investigator will look to see who is trying to rob banks and target those threat agents. The investigator knows such a robber will continue to evolve their tactics until they succeed. Operations efforts to improve door standards, alarms, etc. are still fine measures which reduce the risk of loss, but the investigator’s role is just as important.

When I managed Intel’s Security Operations Center, I was also the Incident Commander for the company’s IT Emergency Response Process. This is the team that takes charge whenever the company’s computer environment is being attacked. I remember during a virus outbreak instructing the security operations team to track, isolate, and clean infected systems, and then turning to my intelligence section leader and asking him to go forth and determine whether the incident was simply a wild virus finding its way through the cracks or was it a directed attack specifically against our company. The challenge I assigned the intelligence lead was so I could understand if the threat agent was specifically targeting Intel Corp with their malicious attacks or if we were simply caught in a broader net cast with a generic attack. This would help me understand whether it was a fluke oversight in the configuration of our defenses or just the beginning of something far worse, potentially a directed campaign against our security infrastructure.

Cost and scalability limits will constrain their use, but hunter teams are an important step forward for the industry. Cyber security hunter teams have been in limited use for some time and are gaining momentum. The results can be seen in the news. Botnet takedowns, the breaking-up carding rings, shutting down of illegal fraud sites, malware author arrests, and the prosecution of insider theft and sabotage cases are possible because the attackers were targeted. What are not publicized are the equally impressive results which occur quietly in defense of highly protected networks. These teams can be valuable in identifying the root cause of problems, putting the puzzle pieces of seemingly disparate incidents together, identifying the offending attackers, reconnaissance for early alerting, and providing intelligence necessary to interdict and prosecute them. Hunter teams can be a very powerful tool and effective in stopping some of the most grievous threats.

These specialized capabilities come at a cost. In order to succeed, a combination of brilliant talent, tools, support from legal, and in some cases partnership with law enforcement and industry partners/suppliers/customers, is required. It is a significant investment to establish and maintain a team at a sufficient level to see worthwhile results. Additionally, something intangible is needed; patience. Even the most proficient team needs time to hunt and results can vary greatly.

Beyond costs, hunter teams also have a significant downside. They are not very scalable. Most teams work a single case or issue to closure. Some teams can multi-task, but at a great loss of effectiveness. I have been fortunate to be a part of a world class loss prevention team, specializing in detecting, tracking and prosecuting threat agents. When on the hunt, teams are narrowly focused. Timing is critical. Proficiency matters. Splitting attention to a multitude of separate cases is a recipe for disaster. Compared to security operations teams, which can much more easily multitask and close issues with great speed, hunter teams seem to move in slow motion. But what they lack in the quantity of case closures, they can make up for in results. Overall, the high costs and the lack of scalability are tall barriers which prevent widespread adoption.

Certain organizations, where the cost and scalability headaches are worth the additional security capabilities, should consider the use of hunter team’s. Environments where assets are targeted by persistent, creative, and resourceful threat agents, seeking explicit objectives, from a specific target will benefit the most. Identifying and understanding these dangerous and capable adversaries, who seek to undermine your security controls and compromise your environment, is an important step in countering massive potential damage. This is not important to most, but for those organizations which are under the pressure of being targeted directly by skillful and motivated threat agents, hunter teams are a viable and attractive option. I strongly suggest financial, defense, sensitive government, and high profile critical infrastructure organizations look into using them. Additionally, I urge security providers and consulting firms to evaluate offering professional hunter team services. The demand over time will continue to grow.

Hunter teams are a necessity in the evolution of cyber security. They are a pivotal step forward, applying desired pressure to attackers. Yet, they are not the final state. We will continue to evolve the practices and technology of targeting threat agents into something more scalable, affordable, and effective. But for the time being, I welcome hunter teams to the playing field. It is about time you showed up. We really need you. Happy hunting!

McAfee 2012 FOCUS security conference is a success

webadmin@intel.com — Fri, 26 Oct 2012 16:41:47 GMT

Every year, McAfee hosts the FOCUS security conference to pull together its customers, partners, and industry leaders. The conference informs and educates attendees on the latest threats, trends, best-known-methods, and showcases McAfee's new technologies and services. This year's conference was another grand event and success, with a 20% attendee increase over last year, two keynote speeches, and over 70 targeted, highly technical sessions organized into 14 tracks.

The first day focused heavily on technologies and how the threat landscape is manifesting new types of attacks. Mike DeCesare, co-president of McAfee, and Michael Fey, McAfee CTO, did a wonderful job of outlining McAfee's strategy and how it aligns to legacy and emerging attack methodologies. DeCesare clearly showed how McAfee’s acquisition by Intel is paying dividends with the integration of Intel/McAfee technology, resulting in DeepSAFE/Defender and an ePO-vPro AMT extensibility. Fey and his team did a real-time demonstration of how new malicious malware continues to evolve and is a real threat, by showing the audience a new critical level Denial-of-Service takedown of a PC, MacOS, and Android system. They explained how the DeepSAFE/Defender product could prevent such attacks and how ePO with Intel vPro AMT technology can recover PC's remotely without the need of a physical touch by a technician.

On day-2, Mike Fey announced a new strategy to advance both the capabilities and economic automation of security controls through a more comprehensive and open ecosystem. It will leverage the vast McAfee GTI sensor cloud to identify tactical opportunities and advise customer environments, which can benefit at their discretion, by instituting local rules and even share their data to 3rd party services for advanced analysis and management. This will finally allow customers finer control of risk decisions for their environment, based upon near real-time intelligence gathered worldwide, to rapidly institute and easily maintain technical rules which may be inappropriate at larger scales or for broader communities, but fit perfectly for their local environment and risk appetite.

On the technology side, what was talked to last year with great anticipation, was shown in practice in this year's conference. In one of the most attended technical sessions, a team of Intel and McAfee speakers showed the architecture and spoke to the benefits of Deep Defender. In the past year, Deep Defender has become available and activations have been aggressive. Audiences were impressed with the capabilities and game-changing potential of this exclusive offering.

Deep Defender and other DeepSAFE technologies represent a disruptive change in the balance between how attackers and defenders interact. It has the capability of shifting the initiative to defenders, forcing the attackers into an undesirable position of responding to innovative detection and response technology. This is very good news for McAfee customers benefiting from the Deep Defender.

For those who explored the trade show floor, they were able to catch a glimpse of future Intel/McAfee technologies which may come to market. Demonstrations of secure boot technology, secure storage, virtualized IPS, secure video/audio, and others were available with lab folks to discuss the potential.

Overall, this year’s McAfee FOCUS conference was great investment of time for customers, partners, technologists, and security veterans. I can’t wait to see what next year’s conference has in store.

4 Tips to Successfully Market Security to Consumers

webadmin@intel.com — Tue, 04 Sep 2012 21:20:12 GMT

Marketing security to consumers is a difficult prospect. Security is not normally something a consumer thinks about, without a good reason. When walking into a store, full of anticipation of purchasing a new device, the excitement is about how it will be novel, functional, draw envy, and be entertaining. Not so much about what happens if it is stolen, hacked, or otherwise violated. Nobody really wants to consider what bad things might be associated with their upcoming purchase.

Marketing security to consumers is about influencing purchasing decisions. But people have a fuzzy and fluid definition of security. The drivers are largely emotional, not technical, and coupled to usages/experiences of devices. Consumers only invest in security if they feel a relevant need. It is about addressing problems both real and imagined. Without problems or concerns, security is irrelevant.

Overall, selling security products and services requires a pressing need, a meaningful solution, a good reputation of the provider, and a proof of value. Therefore, a successful marketing initiative must market meaningful and valuable solutions, from a respected position of trust, in a manner which convinces consumers their problems are being satisfactorily addressed.

To achieve success, consumer marketing programs must incorporate healthy characteristics to promote security without instilling fear, uncertainty, and doubt:

1. Clearly shows how offerings are effective to prevalent consumer problems
2. Build and reinforce a reputation of trust, value, and confidence in proficiency
3. Target moments of opportunity when consumers are compelled to invest
4. Educate consumers, with positive messages, how security makes using technology better

Becoming a trusted and beloved security provider does not happen overnight. It is the nature of the security industry, like many other trust based businesses, to take time to build relationships and earn a good reputation.

1. Clearly solve the customer’s problem

Security investment is typically in response to a problem experienced or perceived by the customer. Without a problem or risk of loss, security is simply not needed. Security solutions should solve this problem and be marketed in a way to show how the customer is benefiting. It could be as simple as protecting systems from malware infection, a more secure web browsing experience, a secure online-banking interface, reduction of spam cluttering their inbox, or the protection of sensitive data while in transit. Whatever the security, it must show how the customer’s problem is solved.

2. Build trust, value, and confidence

The finest security product or service will be unattractive if the provider is not trusted. Would you buy your medications from a shoddy operation or give money to a disreputable broker to purchase stock on your behalf? No. Trust must be established. This is why branding is so important to security organizations. Without trust, all is lost. So be careful in marketing claims, practices, and how customers are treated. Wild claims of performance or nonexistent capability is corrosive and will cause more damage in the long run. Conservativeness is more desirable. There is no need to stretch the truth to make it sound as if you solve every aspect. Consumers may not be security savvy, but they do know the problems are complex and no single solution will cover every aspect. Be open, honest, and realistic with quality products and services to build trust, show value, and instill confidence in your current and future customers.

3. Target moments when consumers seek security

There is a moment for every customer when they will need security. For some, it was in the past and they are more in tune with the value and purpose of security products. These potential customers will be open to marketing messages. For many however, it will be sometime in the future. An event will compel them to invest. It is only at that moment and beyond when security marketing will be welcome and meaningful. Target that opportune moment in time to both establish awareness of offerings and build reputation.

Knowing when specific customers are at this point is challenging but not impossible. For example, when someone does an Internet search for ‘security’, ‘data backup’, or ‘anti-virus’, it is a good bet they just experienced an issue and have recently broadened their acceptance of investing in protection.

The desire and willingness to spend on security can change radically at key moments. Security is most relevant when it fails and can stimulate a change in views and perceptions. These are opportunities for marketing to promote the relevance of security and present solutions at the time of need.

4. Show how security makes the user’s experience better

Messages must be simple and show in a positive light, how problems can be addressed. In the dangerous world of the Internet, security is an enabler. It allows people to enjoy the benefits of a connected world, while minimizing the risks. Security should be tied to the positive services and activities people want to enjoy. Avoid the dark messages, intending to invoke fear and doubt. The negative messages frame security in the wrong light and will further push away audiences.

Many automobile manufacturers have done a wonderful job of promoting safety. They speak to families arriving at their destinations safe, not horrific tales of car wrecks and fatality statistics. They show safety in a positive tone and distance themselves from the negative messages. Same should be true of security marketing.

Marketing security to consumers is a difficult task, but with a well thought out plan, quality offerings can reach customers in a positive way and build a long-term valuable relationship. Show how customer’s problems are being solved, build trust, target opportune moments, and tell the positive story of improved user experiences. This is the road to successful marketing of security.

Professional Malware is Evolving to Include Psychological Warfare

webadmin@intel.com — Tue, 28 Aug 2012 17:57:40 GMT

Professional malware is a powerful tool and is now being leveraged as a means of psychological warfare against nation-state targets. Recently, operators in Iranian nuclear facilities experienced a not-so-subtle sign of infection. According to an unconfirmed report from F-Secure, a Finnish security company, workers were disrupted by malware which maximized the volume on computers late at night and then played AC/DC’s Thunderstruck. If true, this represents a radical change in the behavior of elite class malware.

Nations across the globe, in pursuit of political goals, are developing sophisticated offensive cyber tools which can augment more traditional types of operations. Iranian nuclear facilities have been targeted with malware before, disrupting operations and gathering intelligence. The quality of the code, the complexity of the how vulnerabilities are being exploited, and the likely inclusion of human resources all points to a professional sponsor, likely that of a government. In response, Iran has instituted additional controls, including isolating networks to bolster security.

What is interesting about this recent music playing incident is how overt it is.

Most professional malware embraces stealth, both in delivery and execution. Worm and virus writers want to successfully access victim systems without detection. It offers the best opportunities to use compromised systems as a foothold for further attacks, steal information, and subvert operations. Some of the most sophisticated malware have embedded logic which detects when it might be under observation or being analyzed, with a quick response of self-deactivation and deletion. It is better to self-destruct than be detected or give the target an opportunity to peek at the instructions, architecture, and design. This strategy of malware design reinforces the saturation, persistence, and overall potential to compromise confidentiality, integrity, and availability of systems and services of the targeted environment.

Tapping into the psyche of victims is not new for uncomplicated malware. For some time viruses, worms, trojans and the like, have taken advantage of the minds and emotions of its victims.
• Luring people to open an email, file, or visit a malicious website through the use of tantalizing or scandalous subject titles
• Trapping files and holding them for ransom or threatening to forward them to authorities
• Affecting system performance or availability, then offering a fix or protection for a price
• Soliciting money because of a personal crisis or under the guise of global disaster relief
• Making ‘to-good-to-be true’ offers to gullible audiences
Although these methods are still successful, they represent only a basic level of strategic planning. They are in fact simple, direct, have little concern for being covert, and not part of a larger scheme.

So why would professional malware writers design their code to announce itself in such an unmistakable way and give up the element of stealth? The answer might be found in the goals of psychological warfare. The Thunderstruck incident is different and I suspect is part of a larger more complex operation. Openly broadcasting a rock anthem has a certain amount of flair and panache. Looking beyond the excellent choice in music, it is a bold message which can affect workers and government in many different ways.

The overall objectives of the attacker may be seeking to cause dissention and mistrust. First, given all the work to protect the systems, it is demoralizing to have such an open breach, the news of which cannot be easily suppressed. Employees concerns with the competency of the administration may grow. Secondly, this is a message to those defending the facilities. In essence saying, we can affect you in ways you may not understand, even when you do your best to protect the systems. Thirdly and most importantly, it fosters an environment of mistrust. Knowing that someone on the inside is likely assisting the attacks, it makes everyone wary and suspicious of each other. It also naturally weighs against the faith in superiors of being able to maintain control of an escalating situation. Under these circumstances, stress levels increase dramatically. It becomes very difficult to accomplish precise work at a rapid pace. This may be the real goal of the larger strategy. Advanced malware is just one tool of the plan.

The world of malicious software is constantly changing, evolving, and innovating. We may be witnessing a new era in professional malware writers expanding into a higher domain of psychological operations. Some would say, it was just a matter of time.

The paper can be found here.

Daniel Geer is one of the most well respected security metrics expert in the industry. But I just can't follow this line of analysis...

I think it is dangerous to distill the value of security based only upon the expenditure. Although an obvious relationship exists between security spending and controlling loss, I doubt it is linear. Increasing the TSA budget by 300% to $24B will not equate to 3x the level of security people feel or benefit from when boarding a plane. Will 3x more terrorists be caught or hijackings will be reduced to 1/3 current levels? Doubtful. Spending more does not mean security will improve at the same rate.

The attackers likely don't see it as an economic problem either. Cost may be a limitation, establishing boundaries on what attacks can be attempted. But I have not seen any evidence attackers make strategic decisions based upon a ratio of spending-to-attacker or target. If anything, I suspect they evaluate the spending in relation to the likely return. In my humble opinion, this probably holds true for financial, political, and even social attacks.

I would rather see this turn into a return-on-investment analysis, rather than a comparison on who is willing to spend more.

The question in the paper asks "Are you smarter than the TSA?". I would judge any organization which can achieve and manage to the same or better level of risk (risk of loss) in a similar environment, while spending less, as being "smarter than the TSA".

Is Security Spending a Necessary Evil?

Explaining the value of security spending - video

The Problem of Measuring Information Security

Tips to Protecting Your Mobile Devices While Travelling on Vacation

webadmin@intel.com — Wed, 13 Jun 2012 00:50:58 GMT

Mobile devices are important in our daily lives, but become outright treasured companions when we travel. Losing your device while away from home is frustrating and can define a trip as memorably horrible. For my friends and colleagues who will be enjoying the summer months travelling about with their cherished smartphones and tablets, here are a few tips to keeping them secure.

Handle your device safely. Phones and tablets are easy targets for thieves. Additionally, they are easily left behind or forgotten. Just like your wallet or passport, don’t leave your devices alone or visible to others. Leaving an expensive device visible in a parked car, restaurant table, or in a hotel room unattended is just asking for trouble
Backup your data. Before you leave, be sure to back-up your contacts and data. In the event the device is lost, stolen, or dropped in the pool, being able to quickly restore a new device is key to reducing stress and returning to your fun activities. Many backup services and solutions are available
Lock the device. Enable screen passwords. It may be an annoyance to you, but it is very problematic to someone who is trying to steal your information. Don’t make it easy for the criminals to victimize you
If lost, help get it back. Many good natured people find lost phones, but are unable to easily return the device. Adding contact information on the lock-screen can expedite the return of your precious phone or tablet. Several devices and software enable this handy function. But don’t list the phone number of the device itself, instead list a friend or an email account you can easily check
If missing, track it. Install tracking solutions to be able to both beacon as well as geo-track the device. When instructed, a beacon function will turn on the device, set it to maximum volume and then sound an audible alarm. A great feature if the device is within earshot. Geo-tracking will use internal GPS functions of the device to show where it is on a map. The problem when you lose something is it might be under the seat of the car right next to you or in the terminal of the airport miles away
If stolen, nuke it. Worst case, your device has been pilfered by a malicious person and may be used to explore your life and attack your finances. It is better to limit the damage to only replacing a phone or tablet. Sending a ‘poison pill’ to remotely destroy all your data will leave the thief with a blank device, unable to cause further harm
Protect it from Malware. Travelling is not the best time to be affected by malware. Be sure to have robust anti-virus running on the system. Many products also bundle device tracking (beacon and geo-track) and remote data destruction capabilities (poison pill)
8. Use phones as lifelines to friends and family. In addition to sharing and basking in the glory of your awesome vacation or adventure, phones can let those who you love know where you are and that you are safe. It can also inform of delays, vehicle breakdowns, detours, and changes in plans. Smartphones and tables can act as personal safety assistants by providing maps to avoid getting lost (unless that is what you want), translate conversations in local languages, and change reservations if safety becomes a concern. Keep your devices safe by letting them keep you safe.