What is interesting to me is the similarity of this operation to one that occurred more than five years ago. In a major 2006 fraud, detailed in an October 24, 2006 Computerworld article by Eric Lal with the title “Identity thieves hit customers at TD Ameritrade, E-Trade: Stock fraud scheme involving overseas hackers cost $22M in losses,” the perpetrators opened online brokerage accounts and bought substantial quantities of penny stocks. The article is available at http://www.computerworld.com/s/article/9004416/Identity_thieves_hit_customers_at_TD_Ameritrade_E_Trade  The thieves also obtained account access information and logged into existing accounts (or created false accounts) in order to buy large amounts of the same penny stocks. When the prices rose due to their purchases into the hijacked accounts, they sold their holdings of those stocks from their previously-established accounts and pocketed the profits to the tune of at least $22 million. TD Ameritrade compensated legitimate customers, whose accounts had been hijacked, for $4 million in losses, and E-Trade paid out $18 million.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: hacking, information security incidents, pump-and-dump, spotlight

From an information risk management (IRM) perspective, we do live in that world.

I delivered my presentation, “The New School of Information Risk Management,” over a year ago at a conference of IT auditors and risk managers. A common response to my presentation was that it contained “too much” math; people were hoping for practical tips on how to do risk management. I found this reply baffling. Again, imagine if someone with the job title of software engineer said, “I don’t need to know computer science or even how to program; I am a software engineer.” Or an accountant who said, “I don’t need to know how to read a P&L or a tax return; I’m an accountant.”

Huh?

Such people are, despite appearances, obviously speaking a different language than what I speak. In my language, it makes no sense at all to say that one can “do” risk management without even the most basic understanding of probability theory. In my opinion, the minimum bar for competency as a risk analyst or manager, regardless of the kind of risk to be focused on and even if they use so-called “qualitative” methodologies, includes understanding:

• the difference between the frequency and epistemic interpretations of probability (and why it matters);
• Bayes’ theorem and the definition of conditional probability; and
• the base rate fallacy and how to avoid it.

If a person does not understand (and refuses to learn) these entry-level risk concepts, I assert they have no business doing IRM professionally.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: information risk management, IRM, probability, probability theory, software engineering, spotlight

While this type of breach can be extremely damaging, not only to those who have had their personal data hijacked, but also to political relations between involved countries, as well as destroying any trust members may have had in the Chamber’s computer systems and networks, such incidents are neither unusual nor unexpected. And it is more than likely that this event is only a very small tip of a very large iceberg.

Two all-too-common characteristics of this breach jump out: One is that the Chamber did not discover the breach itself but supposedly was informed by the FBI, which spotted the transfer of the stolen data to servers in China (Nota Bene: This alone does not prove unequivocally that a Chinese group did it). A second common characteristic is that the breach was apparently discovered only in May 2010 after it had been active since “November 2009 or earlier,” which is seven or more months after apparent inception.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: china, data breach, FBI, forensics, functional security testing, hackers, Siobhan Gorman, spotlight, U.S. Chamber of Commerce

First off, the photograph of a printer, which is prominently displayed at the head of Mills’ column, is that of an Officejet printer, not a LaserJet. This is odd since apparently none of the research findings actually relate to Officejets, only to LaserJets.

Ms. Mills links us to the original MSNBC column by Bob Sullivan with the title “Exclusive: Millions of printers open to devastating hack attack, researchers say,” and to an HP News Release, “HP Refutes Inaccurate Claims; Clarifies on Printer Security.” The latter then points us to the section of HP’s website about “HP Security for imaging and printing.”

While I am not in a position to know who is right or wrong here, Columbia University or HP, and since a lawsuit has been filed as described in Mills’ column, I will not comment on which claims might be true or false, rather I will examine the manner in which the apparent flaw was made public, as it is an issue common to all disclosures of vulnerabilities and malware.

For transparency’s sake … I know personally Sal Stolfo, who heads the research team at Columbia University, having participated with him in a number of workshops, and, most recently, having greeted him at the 2011 IEEE Homeland Security Technology (HST) Conference in Waltham, Massachusetts, in mid-November. Sal co-authored two papers at the conference; one on “Measuring the Human Factor of Cyber Security,” which won a Best Paper award, and the other on “Behavior-Based Network Traffic Synthesis” … both very important topics, but neither one about hacking printer firmware. In fact, my own presentation at that conference, “Assuring Software and Hardware Security and Integrity throughout the Supply Chain,” is probably much more relevant to the printer issue. Also, my poster presentation from the previous year’s IEEE HST Conference, “Risks of Unrecognized Commonalities in Information technology Supply Chains,” may also be relevant since it included a photograph of the HP printer and toner cartridge, which was discovered before the explosives hidden inside were detonated. Furthermore, I discussed another printer-related risk, namely sensitive information stored on disposed-of printer hard-drives, in my August 9, 2010 BlogInfoSec column: “Data Leak! Data Leak! … Copy.”  Clearly printers have a number of inherent issues, but dealing with such issues often requires the common tradeoff between functionality and security.

© BlogInfoSec.com, 2012. | Permalink | No comment | Add to del.icio.us
Post tags: Firmware, functional security testing, HP, HP LaserJet printer, printers, spotlight

First, the easier one … I am a strong proponent of  the Monte Carlo approach to risk assessment. For a multitude of reasons, many of which are listed in Hubbard’s book, scoring methods are deficient as a means  of expressing risk. Risk scores are highly subjective, not readily able to be aggregated, carry different weights in the minds of various assessors, etc., etc. Yet for  all their deficiencies, risk scoring remains hugely popular. And that’s because risk scores are easy to come up with and simple to present. They don’t involve  complicated probability theory that is difficult to understand and harder to implement. While I believe that scoring, if used with full knowledge of its  limitations, can have some value in focusing management on particular areas of risk and can be used to indicate some broad measure of relative importance, risk  scoring does not properly represent the nature of risks with respect to value, uncertainly and time.

By the way, I must also correct my characterization,  in my September 12, 2011 column, of the OCTAVE® approach being “totally dependent on scoring.” In fact, various OCTAVE® publications play down the use  of scoring, favoring the use of high-medium-low categories—this is what I have used in many of my own publications. To be fair, the OCTAVE® researchers do  introduce scoring in a few places, but with many disclaimers and warnings against its ubiquitous use.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: Monte Carlo, objective risk, personalizing risk, risk, risk assessment, risk scoring, spotlight, subjective risk

There are two main ways in which this issue might be resolved. One is to make sure that the contractual requirements are conveyed to everyone who must perform and then ensure that they monitor their responses and enforce compliance. They also need to make new responders and recipients aware of their responsibilities if there are changes in staffing on either side. The other approach, which is not mutually exclusive of, but should be in addition to, the first suggestion, is to automate the reporting function. In this approach, probes are inserted within providers’ systems so that customers can get a direct view into their service providers’ relevant information systems and networks. This will allow customers to detect breaches and other compromises as they happen. Here again, customers and providers have to be made aware of changes affecting both parties, such as changes in system architecture, application functionality, organizational structure, and the like.

Another desirable capability would be to tap into the service providers’ internal notification systems so that customers can see what service providers are looking at, particularly for those instances that don’t fall within the purview of monitored systems, such as human-based systems and systems not rigged with monitoring devices. This might be more problematic as there is the risk that any given customer might be given access to proprietary or otherwise sensitive information regarding other clients.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: breach, breach notification, incident reporting, incidents, spotlight

Such an attitude of overconfidence goes a long way in explaining why too little is spent on information security, why so many security expenditures are of the wrong type, and why it always seems to come as a surprise when a breach occurs.

Kahneman describes how, even when confronted with the fact that their predictions were little better than random guesses, evaluators “continued to feel and act as if each particular prediction was valid.” Such confidence prevails among managerial decision-makers when they are considering cybersecurity-related risks. They ask why they should invest in protecting against incidents that may never happen. They question how investments in security can be justified when the expected losses are so small. Perhaps that is why it is usually only when lawmakers and regulators up the ante with respect to the costs and consequences of breaches that significant action is taken.

Also, Kahneman believes that “people who face a difficult question often answer an easier [question] instead, without realizing it.” This would appear to apply to security professionals who respond with a list of all the good security measures in place when they are asked by the CEO: “Are we secure?” This latter question is, of course, impossible to answer, but that doesn’t stop executives from asking it.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: breaches, Daniel Kahneman, illusion of validity, overconfidence, risk, spotlight

However, when it is suggested that companies report POTENTIAL security compromises and their costs and consequences, we must examine what they might mean more closely. The SEC lists five examples of what should be disclosed, as follows:

• Business and operational aspects that “give rise to material cybersecurity risks and the potential costs and consequences”
• Outsourced functions that “have material cybersecurity risks” and how the risks are being addressed
• Cyber incidents that “are individually, or in the aggregate, material,” and “a description of the costs and other consequences”
• “Risks related to cyber incidents that may remain undetected for an extended period”
• “Description of relevant insurance coverage”

Some of these situations are difficult to imagine insofar as what type of reporting is required. Virtually all business operations provide the opportunity for material cybersecurity risks, as do most outsourcing arrangements. At what level does the “material” criterion kick in? How does one aggregate risks? And if a cyber incident has been taking place over a long period of time but has not been detected, what risks should be reported … the risk of the incident or of its not being detected or both? It is likely that the result of such disclosure requirements will be the usual bland generalized corporate statements that we have seen so often in the past. Also, as I described in my somewhat controversial September 12, 2011 column “Risk Mismanagement – Scoring vs. Monte Carlo vs. Scoring,” the measurement of risk is personal and there are not any fully satisfactory methods in existence, as far as I know, for aggregating diverse risks. Consequently, corporations are likely to downplay cybersecurity risks, until after an incident occurs, at which point they will likely state that the attackers were so smart that they couldn’t have been reasonably expected to defend against them.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: CF Disclosure Guidance, cybersecurity, DCF, incident reporting, potential security compromise, risk, Risk Analysis, SEC, spotlight

In these works, we get the real inside scoop about the frightening threats to, and vulnerability of, our critical agencies and sectors and about terrifying cyber events that have taken place within government. This is not the speculative hearsay often seen elsewhere. Among other influential positions, Brenner was senior counsel at the National Security Agency. So he really knows what was going on.

Brenner’s book describes the horrific state of affairs in the cyber world at great length and then prescribes, in a final chapter, a set of mitigation strategies. The recommended approaches depend on the responsiveness of government, collaboration between the public and private sectors, and the like, which are neither forthcoming in the current economic environment nor likely to gain much traction even in more prosperous times. In all such appeals for action, the problem is that those who get it don’t have the power to fix it; and those with the power don’t get it.

Unfortunately, those, such as Brenner, who raise issues regarding the Nation’s cyber vulnerability and the need to do something about it, are mild-mannered, well-meaning intellectual types, who are highly respected by those of us who care about protecting the U.S. against cyber attacks from within or from abroad. However, they generally have difficulty generating an appropriate level of concern, enthusiasm and action. The go-get-’em tough guys are mostly into kinetic attacks and responses and many of them seem to have little understanding of the cyber world. As described in my March 29, 2010 column “Cybergeddon … Ho Hum” (see … http://www.bloginfosec.com/2010/03/29/cybergeddon-%e2%80%a6-ho-hum/), I was particularly affected by Vice Admiral Michael McConnell’s testimony that nothing substantive will be done by the government until we experience a “catastrophic event.”  This is not a happy situation,

© BlogInfoSec.com, 2011. | Permalink | 2 comments | Add to del.icio.us
Post tags: America the Vulnerable, cyber attack, Joel Brenner, Michael McConnell, National Security Agency, NSA, spotlight

Now, the issue … In John Bussey’s article. “Seeking Safety in Clouds,” in the September 16, 2011 issue of The Wall Street Journal, Jim Reavis is quoted as saying “Small and medium businesses are insane not to leverage the advantages of cloud computing … It ends up being in almost all cases a security upgrade because they can’t otherwise afford the practices.” While I agree that smaller companies can and do benefit greatly from cloud computing and that, if security is implemented appropriately, the cloud services can be more “secure” than in-house systems, I have two issues with SMBs diving pell-mell into cloud services without considering some of the risks.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: Availability, cloud computing, cloud security, Cloud Security Alliance, CSA, Jim Reavis, outsourcing, SMB, spotlight