Real-time Information Security Analysis

Advanced Leaders

2011-04-24T10:13:00.002-04:00

Increasingly, leaders want:

1. Not just to run an organization effectively, but to change the surrounding system as well.

2. Not just improve hospital performance, but improve overall health.

3. Not just fix troubled schools, but change patterns in communities that lead children to under-perform.

4. Not just fix a problem, like a broken financial system, but change the culture.

Still, advanced leaders dance to their own tune.

1. They find opportunities for change in the cracks in the system, in the white space where nothing is written.

2. Rather than try to change the establishment all at once, they fill gaps, create new alliances, and forge new pathways. For example, Advanced leaders:

3. Work in complex systems where authority is diffuse or divided.

4. Break mental boundaries and challenge established patterns.

5. They think not just outside the box but outside the building.

6. They know that cities are not City Hall, health takes more than hospitals, and education is more than schools.

7. Advanced leaders use the tools of the future. They don't want society's leftovers, or what I call spare change; they want the best and latest ideas and technology to make real change.

The surface has barely been scratched for the use of technology to improve society. Consider the potential for data analytics to spot disease outbreaks, mobile phones to monitor health, or interactive websites to bring personalized learning to disadvantaged areas.

The Most Terrifying Video You'll Ever See - Power Grid Cyber Security Edition

2011-01-23T18:52:00.000-05:00

If you have ever seen this video: The Most Terrifying Video You'll Ever See, it definitely has a catchy title that makes you want to click and watch. Regardless of your views on the topic it's covering (global climate change), it's an interesting topic and stimulates debate from all sides.

I could not help but notice the similarities between that topic and the increasingly popular power grid cyber attack scenario argument. With the discovery of Stuxnet in 2010 and it's "game changing" functionality and components, that which was previously theoretically possible is now a reality.

Using the same diagram as the author (Wonderingmind42, Greg) in this video, I constructed a similar diagram for a Grid Cyber Attack (GCA). The other acronym in the diagram is BES (Bulk Electric System).

First, a GCA is defined as a Stuxnet-like sophisticated piece of malware that infiltrates the US power grid at multiple locations, through multiple Utilities and is designed to have very specific impacts. Hypothetically, this scenario includes impacts such as wide spread cascading power outages in various parts of the country and many prolonged outages lasting weeks or months.

So let's define the diagrams components for clarity:

On the left hand side is a false/true. This is whether or not you believe the above type of scenario happening is likely to be false or likely to be true.
Across the top, the columns represent action taken. Either we take action "yes" or we do not take action "no" to do all that we can to prevent this type of cyber attack scenario from occurring.
The 4 boxes in the middle represent the consequences of taking the actions (and depend on the false and true rows).

Now let's define the consequences of taking action in more detail:

Box 1 (upper left corner) represents taking an action (yes) and this sort of grid cyber attack occurring being false. The consequences of this action would likely result (using a worst case scenario) in a lot of unnecessary costs to all Utilities that chose to do all they can to defend against this scenario. "All that they can" is hard to define and left up to the decision makers of each participating Utility. This would likely translate into decreased profits which would translate into things like layoffs and a sector wide decline in profitability. - We spent a whole lot of money for nothing and now we might look a little silly and impact the lives of people we are forced to lay off.

Box 2 (lower left corner) represents taking an action (yes) and this sort of grid cyber attack scenario occurring turning out to be true. The consequences of this action would result in the same costs as listed above but the Utilities being able to either stop outright or retain reliability and integrity of the power grid against the described cyber attack. - We paid for it, but we stopped it. yay! :)

Box 3 (upper right corner) represents not taking any action (no) and this sort of grid cyber attack scenario not occurring. The consequences of this inaction are "business as usual" and everyone is happy yay! :)

Box 4 (lower right corner) represents not taking any action (no) and this sort of grid cyber attack scenario turning out to be true. The consequences of this inaction are the "worst case scenario" coming true. Significant human impacts. Loss of hundreds of millions of dollars but more than likely, hundreds of billions of dollars due to wide spread cascading power outages lasting weeks to months across the U.S. Major impacts include public safety, health, operational, economic, and political. Widespread panic and chaos not unlikely.

So like the author of "The Most Terrifying Video You'll Ever See", one must ask the question, is it worth it? Are we doing enough, fast enough? These are no doubt, difficult questions with difficult, complex answers.

Should these decisions be a cost/benefit analysis and financially motivated when they deal with such high impact consequences?

Some other interesting related topics include the precautionary principle: The Precautionary Principle

What do you think?

A Briefly Scoped Look at 2010, Risk Management and Cyber Security Strategy

2010-12-31T18:22:00.000-05:00

Risk Management

· 2010 has been a banner year for highly publicized, yet real-world proof of concepts for a number of threats. Some of which we have known about for years.’

o We started the year in January with the Google “Aurora” APT hack.See: Operation Aurora

o Then in June we had Stuxnet which was as one author put it “malware beamed back from 5 years in the future” to raise the bar on any previously known APT. See: Symantec Stuxnet Dossier

o Also in June, but progressively coming to light for the rest of the year we had Wikileaks. A classic case of the insider threat and data loss. See: Wired.com Wikileaks Story (Original)

Some questions, without the answers for now…

· Are we as industries doing enough, in a timely manner, to keep up with the pace of the myriad of threats? The threat landscape seems to be evolving faster now than anytime in recent history. Isn’t it our job to make sure that company Executives are aware of the risks associated with these threats in a timely manner so we as cyber/information/risk Analysts can have the tools to make the right decisions to best defend our sensitive information and networks in an equally timely manner? I realize the time component is an important concept here. When is it timely enough? Is being proactive in identifying the threat before we see a proof of concept in the real-world an unrealistic business goal?

· Are we (as industries) really proactive with regards to our overall information/cyber security strategies? Or are we reactive? I realize these are loaded questions and can be looked at from a number of perspectives. For example, compared to industry peers, to cyber security budgets from years past, to other industries etc. Most organizations are in business to provide shareholder value and good returns, as well as provide quality products/services to customers and thus the business case for (increased) cyber security is sometimes a tough one to make. But of all years, 2010 certainly made this an easier case to make, I think you would agree.

· In 2011 will industry be implementing controls to help us defend against threats that came to light in 2010 that were no doubt occurring in 2009 and before? Yes.

· In 2011 I suspect industry will have a “heightened interest” in analyzing controls to prevent insider threats & data loss prevention (e.g. Wikileaks), and super-APT’s (e.g. Stuxnet) with 2012 business cases, while the bad guys are moving on to new techniques.

I realize to a certain extent this is a perpetual game of catch-up. Is this a fact of life or something we can control? I think a little of both. I know we don’t live in an ideal world or business environment for that matter, so my point is not that we need to do everything “now” or be able predict the future, but I do think industry should strive to continually perform threat and risk analysis/management in as close to a real-time (preferably proactive) way as possible within known constraints. I pose another question; do we really think we are doing “enough” now, fast enough? How much more would your 2011 cyber security budgets be if your organization had an APT, Stuxnet, or Wikileaks type incident this past year?

I can’t state it any better than Gartner Analyst John Pescatore from the recently released Gartner document titled “The Gartner 2011 Information Security Scenario”:

Key Issue: How should information security programs evolve to deal with changes in business processes, information technology and threats?

We are at a cusp very similar to what we faced 20 years ago as mainframe and departmental computing were attacked by personal computing. Consumerization and cloud are breaking IT processes, and by extension IT security processes, in a very similar manner. At the same time, cybercrime (financially motivated, targeted threats) are moving even more quickly to exploit this breakage. Similarly, legislators are moving more rapidly to "help" by introducing new laws requiring new forms of reporting. The movement toward consumerization and cloud computing has a lot of promise to both increase user productivity and decrease the cost of IT delivery. However, if some of those savings aren't used to keep security ahead of the threat, many businesses will face financially significant security incidents that more than consume the benefits.

Book Review/Notes: Psychology of Intelligence Analysis

2010-12-26T17:28:00.000-05:00

Psychology of Intelligence Analysis Book notes on Google Docs

Amazon

CIA

Project Grey Goose Report on Critical Infrastructure: Attacks, Actors, and Emerging Threats

2010-01-23T21:29:00.000-05:00

Fascinating, informative new report from GreyLogic examining the state of Cyber Security on the US critical infrastructure. Attacks, Actors, and Emerging Threats

Google Hack Attack Was Ultra Sophisticated, New Details Show

2010-01-20T19:16:00.000-05:00

Google Hack Attack Was Ultra Sophisticated, New Details Show

http://www.wired.com/threatlevel/2010/01/operation-aurora/

· Although the initial attack occurred when company employees visited a malicious website, researchers are still trying to determine if this occurred through a URL sent to employees by e-mail, instant messaging or through some other method, such as Facebook or other social networking sites.

· Once the user visited the malicious site, their Internet Explorer browser was exploited to download an array of malware to their computer automatically and transparently. The programs unloaded seamlessly and silently onto the system

· “The initial piece of code was shell code encrypted three times and that activated the exploit, Then it executed downloads from an external machine that dropped the first piece of binary on the host. That download was also encrypted. The encrypted binary packed itself into a couple of executables that were also encrypted.”

· One of the malicious programs opened a remote backdoor to the computer, establishing an encrypted covert channel that masqueraded as an SSL connection to avoid detection. This allowed the attackers ongoing access to the computer and to use it as a “beachhead” into other parts of the network to search for login credentials, intellectual property and whatever else they were seeking.

· Although security firm iDefense told Threat Level on Tuesday that the Trojan used in some of the attacks was the Trojan.Hydraq, Alperovitch says the malware he examined was not previously known by any anti-virus vendors.

· iDefense also said that a vulnerability in Adobe’s Reader and Acrobat applications was used to gain access to some of the 34 breached companies. The hackers sent e-mail to targets that carried malicious PDF attachments.

Aurora and Botnets

McAfee Worldwide Chief Technology Officer, George Kurtz, McAfee Senior Vice President, Stuart McClure, and McAfee Senior Director, Greg Brown, will team up to share everything you need to know about two white-hot security topics: Botnets and Aurora - the day-0 vulnerability that impacted Google and several other companies last week. Jan 21st at 2:pm EST https://www1.gotomeeting.com/register/541112360

Cool Infosec link

2008-07-16T22:15:00.002-04:00

This Infosecportal is a great idea, a portal for relevant Information Security, threats, and risks data from a wealth of reputable sources. Enjoy.

Comment on Understanding Risk in Control System Environments

2008-07-16T22:10:00.003-04:00

In response to an interesting post on the Digital Bond website here I wrote the following:

Comment from chris
Time: July 16, 2008, 9:59 pm

Quality post. Perhaps the concept of Corporate Social Responsibility (CSR) can be more formally inserted into the risk analysis. In CSR, the triple bottom line of social, financial, and environmental performance is tracked along with the traditional primary financial focus. For the vast majority of corporations practicing CSR today , the environmental and social metrics are then rolled up into the financial tying it all back to a $ amount. However, for purposes of this risk assessment it would appear that using all three indicators individually may assist in a more sound albeit less quantitative consequence definition. To add to that, many organizations in scope of this type of risk assessment are government run (water management districts for example) so their focus is not always tied to making a profit, or even wise use of funds i speculate. So for utility X with a financial focus, a power plant down leading to wide spread power outages may be worst case scenario from a financial (reputation + lost revenue + other impacts caused from power outage) perspective, while for water management district Y with a social (public service/ public impact) focus it is wide spread flooding from a dam malfunction. For a nuclear plant it is affect/loss of human life etc.

Perhaps keeping the three CSR areas of social, financial, and environmental separate is a good idea when defining consequence. Define worst case scenarios in each of the three areas and agree that there are events that you know you can’t quantify ahead of time, but you would never want to see happen in each area as well. Luckily, for those “you never want to see” events, government regulations often address but if you’re an organization you *should* do whatever is in your power to prevent them as well.

Watch out for lightning!

2008-07-11T21:53:00.005-04:00

from: http://www.flickr.com/photos/i_love_the_slow_loris/2646424593/

Vacation - A week to reflect, relax, enjoy

2007-11-02T18:43:00.002-04:00

I had some vacation days left for 2007 so I decided to use them all together and take a week off rather than a day here and a day there for the rest of the year, besides they were use em or lose em days...I tried to coordinate getting out of Miami with some friends but it was just not possible so I stayed local and just woke up each day without a real plan (other than my To-Do list which has grown into a multi-tabbed, colored, faceted MS Excel spreadsheet ). On this list I have a plethora of thoughts, ideas, dreams, and wishes to share a few (Move to Italy, Take Golf, Tennis, Italian and Salsa lessons, test drive a new car, a book list, you get the idea..) as you can see the list has no real entrance requirements. I also did a a lot of other little things during my vacation that I just don't have or make the time to do during a normal week like a random drive to no where just for the fun of it or sit out on my balcony and enjoy a sunny day looking at Biscayne Bay drinking a glass of fresh limeade, ok fine it was from a carton...

One thing that happened to me prior to going on vacation was a request from a respected executive of a vendor my company does business with asking me if I would be interested in writing a guest blog entry on his blog. I was extremely surprised and flattered by the request. I am excited at this opportunity and have to approach it correctly. When I return back to work on 11/5 I will seek approval to follow through on this...

Here are my latest fav websites:

Italy

http://howtoitaly.typepad.com/howtoitaly/

Fitness

http://exercise.about.com/cs/forprofessionals/a/personaltrainer.htm

Miami Real Estate

http://blog.miamicondoinvestments.com/

Music

http://www.bbc.co.uk/radio1/

Information sharing

2007-06-17T23:33:00.000-04:00

I recently started reading a book called "Wikinomics" how mass collaboration changes everything. I found the book to be extremely interesting. While reading this book, several websites are cited as examples to topics covered, this led me to a number of "social networking" sites including some social news & social bookmarking websites. Social networking is as it sounds, in this example websites where people go to socialize and network. The most popular of which are Myspace.com and Facebook.com. Social bookmarking was new to me and this is basically sites that offer a downloadable plug-in for your web brwoser that allow you to 'tag' sites or save sites you find interesting to a central location for anyone else out there in the WWW world who has also inctalled the same plugin. The most popular of these sites is del.icio.us (just type that into your web browser, it works.) I have since stumbled across a whole host of websites that provide a wealth of extremely useful, interesting, sometimes fascinating and even funny information from topics across the board. I thought I would share the most interesting sites I have come across up to this point. I hope you enjoy them as well!

http://del.icio.us/
http://wikinomics.com/ & the blog
http://digg.com/
http://slashdot.org/
http://blogs.sun.com/jonathan/
http://technorati.com/
http://www.thesimpledollar.com/
http://www.lifeoptimizer.org/2007/06/06/106-tips-to-become-a-
master-connector/
http://www.writingcave.com/a-herd-of-buffaloes-a-pride-of-
lions-and-a-lonely-crocodile/
http://video.google.com/videoplay?docid=-2757699799
528285056
http://www.ted.com/index.php/talks/view/id/129
http://money.cnn.com/galleries/2007/moneymag/0706/
gallery.success_stories.moneymag/index.html
http://www.frugallawstudent.com/2007/05/29/massive
-personal-finance-resource-list/
http://ocw.mit.edu/OcwWeb/web/courses/courses/index.htm