With this in mind, I spoke to Ben Worthen, a reporter from The Wall Street Journal, and was quoted in the January 19, 2010 issue. The title of the specific article was “Private Sector Keeps Mum on Cyber Attacks” and the subtitle “Companies Are Loath to Disclose or Share Information on Breaches for Fear of Bad Publicity and Loss of Business to Rivals.” My particular statement was that the organized sharing of incident information among companies had not really advanced since the late 1990s.

My statement was sandwiched between one by Scott Algeier of the IT-ISAC (Information Technology Information Sharing and Analysis Center) and another by Bob Carr, the CEO of Heartland Payment Systems, which has suffered a major privacy data breach. Mr. Algeier asserted that considerable progress had been made in the past decade in public-private sector collaboration, and Bob Carr claimed that up to 300 companies had also been “targeted by similar attacks” but had not “come forward.” How might one resolve such apparent inconsistencies in our three views?

For the record, I was a co-founder and two-term Board member of the FS-ISAC (the Financial Services ISAC), which was launched by Treasury Secretary Lawrence Summers in October 1999, purposely in advance of Y2K. The IT-ISAC was founded more than a year later, in January 2001. The FS-ISAC was the first of the ISACs to be formed in accordance with president Clinton’s May 1998 Presidential Decision Directive (PDD) 63, alluded to in the WSJ article. The FS-ISAC became the model for many subsequent ISACs both in the US and abroad.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Ben Worthen, Bob Carr, FOIA, Freedom of Information Act, FS-ISAC, Heartland Payment Systems, IT-ISAC, Lawrence Summers, PDD-63, Presidential Decision Direction 63, Scott Algeier, spotlight, Wall Street Journal

Feed enhanced by Better Feed from Ozh

Logically, the argument runs like this:

If “x conditions exist” then something really bad should happen

Nothing really bad happened

Therefore “x conditions” did not exist

In it’s pure mathematical form (technically called Modus Tollens) it can be represented as such:

if p -> q

~q

hence ~p

To flesh this out a bit:

If the current conditions exist such that H1N1 should massively spread, then there should be a pandemic

We did not have a pandemic

Therefore the conditions did not exist such that H1N1 should massively spread

The conclusion is that if the conditions did not exist then it must have been another reason — such as drug companies –  that pushed the pandemic hype. The mistake in reasoning is to believe that the conditions in the first part of the If/Then statement cannot change. By distributing a vaccine the conditions of the “If” were altered.  The same fallacy applies to information security.

Next time someone complains that “There is no way to tell if any of this information security really does anything” the Information Security Professional has a proper, logical and mathematically sound reply. “We changed the environment so that it would be much less likely to happen.” Logically speaking it’s as though we changed the variable ‘p’ to something else so that a different condition now exists. It’s necessarily so.

© BlogInfoSec.com, 2010. | Permalink | One comment | Add to del.icio.us
Post tags: featured, H1N1, News Commentary, pandemic

Feed enhanced by Better Feed from Ozh

But there is one big, glaring problem with cloud computing, and it just got laid bare in Google’s recent problems with China: your stuff isn’t safe. Google insists that cloud computing is perfectly secure. But of course Google says that—it’s trying to build a business out of it.

But if Google is so secure, how come Chinese hackers broke into its corporate servers and stole its intellectual property? Google won’t say exactly what information got filched, but if the company can’t protect its own intellectual property, how can it protect yours?

Lyons then quotes Nicholas Carr for the opposing opinion:

Carr argues that while Google and other cloud providers can’t guarantee perfect security, they probably do a better job of fending off hackers than most companies can do on their own. On the other hand, Carr says, pooling millions of companies into a single big provider creates bigger individual targets. A hacker who cracks into a cloud can get at everybody’s stuff.

Professionally speaking, I need to agree with Carr on this one. Publicly traded companies such as Google in the US must comply with various of regulations, most notably Sarbanes-Oxley. They are bound to compliance measures that help increase the security in their publicly traded organization. And, Carr is also correct to point out that cloud computing companies/domains are a larger target with a greater impact if the institution is breached.

There are two points that are not touched on by the Op-Ed.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: cloud computing, daniel lyons, exploits, Google, newsweek, nicholas carr, spotlight, vulnerability

Feed enhanced by Better Feed from Ozh

So much for that suggestion. A week later, the White House announced that they had hired Howard Schmidt for the job. I happen to think that putting Howard into this role is a much better solution, particularly since he is not matrix reporting to White House economic adviser Larry Summers and the National Economic Council. I had noted in my June 15, 2009 column, “Here We Go Again … Demoted Security,” that I didn’t think that economists should be setting IT and infosec priorities, as they frequently don’t fully understand technology, its importance or its ramifications.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Cyber Security Coordinator, Howard Schmidt, Information Security Forum, Information Systems Security Association, ISSA, Richard Clarke, spotlight

Feed enhanced by Better Feed from Ozh

In late October of 2009, I was invited to South Korea to speak on information security. In my conversations with the conference participants, I learned that intellectual property (IP) is not given the same considerations in Asia as in the US and Europe. Employees of companies are constantly leaking data to other companies and it’s difficult to change the mindset. In addition, at least in South Korea, there are less infosec laws and companies are not regulated as they are in America (SOX) and Europe (see Telecom legislation here).

The lack of regulation and the difference in mindset create an environment that lends itself to compromise. As such, this is most likely not the first compromise or exposure for Google (or most other US businesses) that operate in China. Stepping away from information security for a moment, we can see this mindset in other fields of business. Consider consumer goods such as watches, clothing and handbags. According to Wikipedia, “Most counterfeit goods are produced in China, making it the counterfeit capital of the world.” Why should the mindset be different for intellectual property, especially property in an electronic format?

© BlogInfoSec.com, 2010. | Permalink | 3 comments | Add to del.icio.us
Post tags: asia, china, Google, hack, south korea, spotlight

Feed enhanced by Better Feed from Ozh

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: breaches, hack, Hugh Thompson, insurgents, Iraq, Predator drones, security testing, software security assurance, spotlight, Wall Street Journal

Feed enhanced by Better Feed from Ozh

Yesterday I received a call from a family member. It appears that around 3000 emails stored in the Sent Items folder and dated from prior to 12/30/2009  (but not after) all of a sudden just disappeared from their web based interface. Yet, the total used storage space was still at 95%. Upon calling Network Solutions and describing the problem, the family member (before I was asked to assist) received the following email reply:

We have resynced the mailboxes to the server, many times this restores lost mail, but it can also remove mail that was left behind as “ghost” messages. These messages are typically left when a POP client downloads messages from the mailbox but doesn’t complete all the way. After repairing [your] mailbox it is completely empty, meaning someone at some point likely POP’d the mailbox and removed the contents. We apologize but we recommend keeping a more secure password as it appears someone has access to your mailbox other than you.

The issue you reported to Network Solutions on 1/4/2010 02:32:36 PM and assigned to Service Request 1-432797685 has been completed and closed.

[Emphasis mine.]

Now, this clearly doesn’t make sense when you analyze it.

© BlogInfoSec.com, 2010. | Permalink | 2 comments | Add to del.icio.us
Post tags: breach incidents, data breach, data loss prevention, featured, hacking, incident, Network Solutions, Security Breaches, web applications

Feed enhanced by Better Feed from Ozh

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: authorized software, desktop, spotlight, unauthorized software, Wall Street Journal

Feed enhanced by Better Feed from Ozh

It is feared that, in other cases, such circuitry might be used to endanger human safety and national security. This fear was exacerbated in an October 26, 2009 New York Times article “Old Trick Threatens the Newest Weapons” by John Markoff. He notes that “the Pentagon now manufactures in secure facilities run by American companies only about 2 percent of the more than $3.5 billion of integrated circuits bought annually for use in military gear.” According to Markoff, “… current and former United States military and intelligence agency executives … argue that the menace of so-called Trojan horses hidden in equipment circuitry is among the most severe threats [to national security].”

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: black swans, circuitry, electromagnetic pulse, electronic circuitry, EMP, national security, spotlight

Feed enhanced by Better Feed from Ozh

The official said that many of the UAV feeds need to be sent out live to numerous people at one time, and encryption was found to slow the real-time link. The encryption therefore was removed from many feeds.

It’s the same old story: it’s the trade-off between usability and security. In corporate America, we often need to make trade-offs between the usability of the application and the security, part of this assessment of usability comes down to cost of the application. One might expect the US Air Force to have the proper budget and technical requirements to make this function efficiently and securely given the importance of these reconnaissance missions.

The article states that:

The official said the United States generally can operate these systems with impunity in third-world countries that don’t have the technology to tap into open satellite feeds. However, according to the official, Iran has been pushing the SkyGrabber-like technology [used to hack the drones] to Shiite militants in Iraq essentially to see what the United States is looking at because Iranians believe they will be invaded next.

It’s a rational decision that ultimately relies on a type of security by obscurity: we will not need to protect something that is out of the enemy’s reach (technologically or economically). For the US, it’s the equivalent of putting one’s front door key in a space where it’s believed that only people who are over 6 foot tall may reach it. The military did not expect that someone may give the 5 foot tall person a ladder.

© BlogInfoSec.com, 2009. | Permalink | No comment | Add to del.icio.us
Post tags: breach, breach incidents, drones, Encryption, featured, News Commentary, obscurity, Security Breaches, security by obscurity, us military

Feed enhanced by Better Feed from Ozh