Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Start your day with intelligence. Get The OODA Daily Pulse.
Informing your decisions with actionable intelligence
Cyber theft is called the fastest-growing crime in the United States costing the global economy hundreds of billions of dollars every year. The cybersecurity industry leaks into more areas of your life than you might think since technology is advancing so quickly. Cyber security firms say they can’t keep up. “Partners within the industry are constantly trying to recruit,” said Daniel Lambert, a cybersecurity employer. “We try and reach out to middle schools and high schools, community college, advanced college, military.”
The talent problem is entirely a people problem, not exclusively a numbers problem. Do we not have the headcount to fill all current and future positions in the field? No. Are we tapping all potential sources of talent to address the issue? Absolutely not. We talk about meritocracy but support ‘rock star’ culture and are markedly monochromatic and male in our make-up. If the first question you ask when looking for talent is “where do I find someone like Tom?” you’re doing it wrong. The place that produced Tom is 1 out of 1,000 sources of talent; if you blow off 999 of them why are you surprised you can’t find people? Yes, this requires work on the part of employers; if it were easy it wouldn’t be a problem.
Cybercriminals say they are willing to pay over a million dollars per year to individuals with network management, penetration testing, and programming skills willing to put on a black hat, a new Digital Shadows report reveals. Posts on Dark Web forums reveal that one threat actor is willing to pay in excess of $64,000 per month ($768,000 per year) to skilled individuals willing to help them conduct nefarious operations. The salary would go up to $90,000 per month ($1,080,000 per year) for the second year.
If you don’t think you’re going up against professionals, you’ve wrong. Cybercrime is a business. They have business models, they do ROI calculations, they are always looking to optimize, reduce waste, and cut costs. Six-Sigma for Cybercrime might not be a book, but it probably could be. Malicious actors online should be viewed as your business competitors, only with less morals, different ethics, and a bias for action. While unsatisfying on many levels, it helps to consider ‘success’ as being as expensive to hack as possible, not to be hacker-proof.
Google said Wednesday it forgot to mention that it included a microphone in its Nest Secure home alarm system, the latest privacy flub by one of the tech industry’s leading collectors of personal information. The company said earlier this month that its voice assistant feature would be available on the system’s Nest Guard, which controls home alarm sensors. But Google hadn’t told consumers about the device’s built-in microphone when it began selling the hubs in the fall of 2017. As recently as January, the product specs for the device made no mention of a microphone.
I’ve got a bridge to sell you. To be clear: the Internet and devices connected to it have been a net-plus to our lives, but if you’re not asking serious, hard questions about how much risk you’re prepared to introduce into your life, don’t be surprised to find out that you’re way more exposed than you thought you were. For Google, Amazon, any ‘smart’ device manufacturer, the feature you think you’re getting is probably an afterthought from their perspective. You are the product, and selling you is the business model.
In 98% of the assessments conducted for its research, Dtex found employees exposed proprietary company information on the Web – a 20% jump from 2018. Nearly two-thirds (64%) of insider threats are caused by users who introduce risk due to careless behavior or human error, according to new research from Dtex. This compares to 13% of threats due to compromised credentials and 23% caused by intent on harming the organization.
People respond to what is prioritized and how they are incentivized. How often do you talk to people about how they can earn a bonus? How often do you talk to them about the importance of good cybersecurity practices? Is it any wonder people will do all sorts of risky things in order to get paid? As you build security into your organizational culture, make sure the security function is viewed (and behaves) as a protective entity, not an ‘enforcement’ arm. Yes, enforcing policy is important, but people should want to report suspect behavior or highlight issues that inhibit productivity so that they are not worked around, and not feel like they’re going to get into trouble.
Cybersecurity is one of the only IT roles where there are people actively trying to ruin your day, 24/7. The pressure concerns are well documented. A 2018 global survey of 1,600 IT pros found that 26% of respondents cited advanced malware and zero-day vulnerabilities as the top cause for the operational pressure that security practitioners experience. Other top concerns include budget constraints (17%) and a lack of security skills (16%). The constant stresses of cybersecurity can easily turn into an employee overload with potentially dangerous consequences.
Stop with the rending of hair and gnashing of teeth. Cybersecurity isn’t any more or less stressful than any other field of endeavor. This is not to say the problem is not real, but the tactics, techniques, and procedures for handling stress are well-trod ground. We’re not special and if we can avoid adding ‘cyber’ in front of ‘stress reduction’ strategies that’s a step in the right direction. Like any other field where this is a problem, you can usually trace the roots to a lack of support by leadership, a lack of understanding of requirements, and by extension a lack of resources. “Do all the security things” is not a mandate nor is it a sustainable course of action.
Iranian hackers launched a cyber-attack against the Australian parliament with the intention to harm the Five Eyes Alliance [FVEY], the secret service alliance between five English speaking countries: the US, the UK, Canada, New Zealand and Australia, Maariv reported on Friday. The attack was connected to a technology firm called Mabna Institute, which is related to the Iranian Revolutionary Guard.
Attribution: the bane of our existence. Today its Iran, but yesterday it was China. Tomorrow it’ll probably be Bhutan. Does it matter? It depends on whether or not you plan to do anything about it (and what). Technical practitioners focus on the granular, but at a higher level it really is about ‘who benefits?’ In this case either of the accused parties falls into the category of ‘the usual suspects,’ but geography probably counts for something. Regardless, attacks on a political entity can only be a good thing (in a weird way) from security perspective, because it brings the issue to the attention of people who can drive change. Blood and bullets rightfully dominate the decision-making cycles of policy-makers, but recent events make it clear that attacking the political process can have a substantial impact against those who may know a lot about kinetics, but not about the pain ‘softer’ power can bring.
As concerns mount that Russia will unleash hackers and online disinformation brigades to wreak havoc in another American election, senior U.S. officials are taking a second look at a technology handed down from the age of Gorbachev and Reagan: an emergency “hotline” between officials in the U.S. and Russia that might someday pull both countries back from the brink of an all out cyberwar. The secure messaging system, known colloquially in the White House as the “cyberhotline,” already exists. It was set up in 2013—building off a Cold War messaging system, in fact—in the hope that it might facilitate conversations between the two countries during a crisis in cyberspace, where the identities and intentions of attackers are often muddled.
A useful tool that will probably get a lot more use than its atomic sibling. Of course this assumes the players are willing to admit they’re involved (or not), and that the other side believes them (which is questionable at best). When you can’t confirm or deny with an IR burn or telemetry, trusting a random voice on the end of the line that they’re not responsible for your nation-wide blackout gets real tenuous real quick.
On February 19, the European Telecommunications Standards Institute (ETSI) published the ETSI TS 103 645 V1.1.1 — or more simply, a high-level outcome-focused standard (PDF) for cybersecurity in the consumer-oriented Internet of Things (IoT). The hope of the new standard is that it will provide the basis for future IoT certification schemes designed to prevent the loss of users’ personal data in breach of GDPR, and the recruitment of consumer IoT devices into botnets (think Mirai) used to DDoS corporations.
IoT security standards are for our grandchildren. The millions of devices already deployed and having an impact on our lives and the lives of our children are not covered by such standards and cannot be upgraded to be compliant. Given the lifespan of such devices, we’re decades away from such standards having a meaningful impact. Like our failure to get commodity IT to bake in security from the get-go decades ago, our rush to make everything ‘smart’, combined with the rate at which we’re adopting such devices, is going to make us look amazingly stupid.
Google has announced FIDO2 certification for devices running on Android 7 and above – meaning that users can use biometrics, fingerprint login or PINs instead of passwords. Half of all Android users can now log into apps and websites on their devices – without having to remember a cumbersome password. “Web and app developers can now add FIDO strong authentication to their Android apps and websites through a simple API call, to bring passwordless, phishing-resistant security to a rapidly expanding base of end users who already have leading Android devices and/or will upgrade to new devices in the future.”
Give the finger to passwords and PINs. Of course the edge-case fanatics will gleefully point out ways that even biometrics can be compromised, most of us aren’t worried about Ethan Hunt coming after us.
LinkedIn profiles provide a persistent, patient threat actor with the information required to craft spear-phishing messages. Scammers tend to be skilled at finding the most vulnerable individuals and turning them into victims. Case in point: Researchers at Proofpoint have been tracking campaigns that prey on those looking for work. The payoff is not a job: It’s a copy of the More_eggs backdoor. The criminal (or criminals) conducting these campaigns seems patient and persistent. The person targets the potential victim through LinkedIn direct messaging, builds rapport, and then begins follow-up through fake websites stuffed with malicious links, email with malware payloads, or both.
Not everything is always too good to be true, but if its on LinkedIn it probably is. The profile of a ‘senior’ practitioners with one job wanting to connect is almost certainly bogus. The pretty/handsome young thing with a picture-perfect profile looking for a mentor is too (I love you all, but don’t flatter yourself). Threats from LinkedIn (and other social platforms) can be significantly reduced if – as the founder of LinkedIn has said many times – it reflects your actual network and people you’ve met.
Despite the openness of the Android platform, Google has managed to keep its Play store mainly free of malware and malicious apps. Outside of the marketplace is a different matter. In 2018, Google saw more attacks on users’ privacy, continued to fight against dishonest developers, and focused on detecting the more sophisticated tactics of mobile malware and adware developers, the Internet giant stated in a recent blog post.
The only difference between a mobile app and malware is intent. First hand knowledge of how easy it is to vacuum up personal details from mobile apps is a story for another day, suffice it to say that if you’re not questioning why, say, a flashlight app requires access to your address book and photos, you’re an example of why humans are bad at assessing risk. If you really need a given app, opt for the paid one (less likely that the authors are making their money selling you) and read the fine print. Anything else and you’re punting.
Payroll software provider Apex Human Capital Management suffered a ransomware attack this week that severed payroll management services for hundreds of the company’s customers for nearly three days. Faced with the threat of an extended outage, Apex chose to pay the ransom demand and begin the process of restoring service to customers. Oxman said Apex hired two outside security firms, and by Feb. 20 the consensus among all three was that paying the ransom was the fastest way to get back online. The company declined to specify how much was paid or what strain of ransomware was responsible for the attack.
Ransomware is a business, and it requires making business decisions. We talked about the multi-million dollar price-tag the City of Atlanta is going to pay because they opted to take the high road. It’s easy to get indignant, but in the immortal words of Michael Corleone: it’s just business, and if you fall victim you should treat it as such.
The hacker ran a botnet that spread ‘NeverQuest’ malware for three years and collected millions of banking credentials. Stanislav Vitaliyevich Lisov, a Russian citizen accused of using the NeverQuest banking Trojan to steal login information from victims, has pled guilty to one count of conspiracy to commit computer hacking in Manhattan Federal Court. The crime carries a maximum penalty of five years in prison. Lisov was arrested in Spain on January 13, 2017, and on January 19, 2018 was extradited from Spain to the United States. He is scheduled for sentencing on June 27, 2019.
One down, a few hundred thousand to go. There are those who applaud indictments of foreign hackers and intelligence officers, and other legal and political moves designed to counter malicious activity online, but wins like this are notable because they’re rare. Silk Road? A dozen replacements were up within days. Successfully combating bad actors in cyberspace demands that we work at scale. The impact can be short-lived if it is wide-spread and frequent. Eventually the ROI calculation for the bad guys will change, but not if we adhere to a law enforcement approach that is ill-suited to information age crimes.
It’s time for tech to grow a conscience. That’s Bruce Schneier’s message at this year’s RSA Conference. Just as lawyers are expected to engage in pro bono work if they want to make partner at a major law firm, so too should security professionals be expected to spend time helping secure vulnerable groups, such as non-profits, human rights workers, journalists and other voices of conscience in society. “I would like to see an ecosystem where if you are going to be a senior manager in cybersecurity, you will have been expected to do some work in the public interest,” Schneier tells CSO.
Only 24 hours in a day; only 12 notes that a man can play. DHS has long tried to get industry talent on a non-reimbursable basis, with predictable results. While an admiral goal, it’s hard to understand how we can achieve such an ideal when the cybersecurity workforce is…challenged by a number of factors that would make it effectively impossible to comply. “Non-profit” doesn’t mean “no-money,” and if security is a priority in the aforementioned fields, it’s not clear why we’re not arguing that they shouldn’t be prioritizing accordingly and paying for it just like everyone else. For everyone who has the time and makes the effort, kudos, but mandatory charity will go over in cybersecurity about as well as it would in any other industry where the problems are hard and the resources stretched thin.
The only place in San Francisco still pricing real estate like it’s the 1980s is the city assessor’s office. Its property tax system dates back to the dawn of the floppy disk. City employees appraising the market work with software that runs on a dead programming language and can’t be used with a mouse. Assessors are prone to make mistakes when using the vintage software because it can’t display all the basic information for a given property on one screen. The staffers have to open and exit several menus to input stuff as simple as addresses. To put it mildly, the setup “doesn’t reflect business needs now,” says the city’s assessor.
If it ain’t broke, don’t fix it? Government legitimacy is by and large dependent upon being able to effectively deliver services (see post-invasion Iraq). In this day and age that means if you’re using computers or offering services over the ‘Net, you need to make sure they can’t be shut down or disrupted via trivial means. It means taking advantage of technology for the benefit of citizens. If you’re pre-mouse age in your capabilities you’re not a government; you’re a museum. Fragility, in pursuit of frugality, is not a virtue.
The Montreal-based United Nations aviation agency concealed for months a hack of its computers and allowed malware to spread throughout the airline industry, Canada’s public broadcaster reported Wednesday. The International Civil Aviation Organization (ICAO) had in November 2016 been the victim of the “most serious cyberattack in its history.” Internal documents obtained by the broadcaster revealed a flawed response to the attack mired in delays, obstruction and negligence, and attempts by staff to hide their incompetence.
Being a victim doesn’t make you a bad person: cocking up the response and covering it up does. What causes you to question the faith and trust in such an organization more; that they were pwnd, or that in 2019 they apparently had no idea how to deal with it and would rather lie than get help? Aviation security (near miss reporting system) is a great model that cybersecurity should seek to emulate, but if we can’t get the culture thing right, then there is no hope for improvement.
The Dow Jones Watchlist, a dataset of 4.4 Gigabytes, was found exposed in an unprotected Elasticsearch database on an AWS server. The Watchlist is used by many of the world’s largest organizations as part of their due diligence for both large and small contracts and transactions. While it contains the financial status of companies, it also includes sensitive information about individuals including politically exposed persons, government sanction lists, persons linked to or convicted of high-profile crimes, and notes sourced from federal agencies and LEAs.
You can’t lose what you don’t store. To the extent that a data set like this has to exist, ensuring that some fundamentals are in place (minimum amount of data necessary, minimum levels of permissions granted to users, authentication, etc.) are essential. Likewise, ensuring that data that doesn’t have to be there is wiped. Just because storage is practically free at scale doesn’t means you should ‘save all’ and forget about it.
State-sponsored attackers continued to be extremely active in 2018 with major groups from at least a dozen countries involved in operations targeting government, business, and civilian targets throughout the year, according to analyses by two security firms. While advanced persistent threat (APT) groups have, in the past, often used custom frameworks to help compromise systems and exfiltrate data, current groups are just as likely to use open-source malware and legitimate administration tools as a way to avoid detection and attribution.
It’s not dumb if it works. For high-end threat actors, ‘advanced’ tools run the risk of being one-shot wonders (see vulnerability equities process). Nobody is going to potentially burn an expensive tool, when a crowbar with do (and given the state of cyber defense in most organizations, even a blunt instrument is rarely needed). Emphasizing the fundamentals and doing the un-glamorous grunt work will do more to improve the state of cybersecurity across the board than the latest blinky box.
JEDI is not only a reference to an order of wise warriors in Star Wars movies, it’s an acronym that stands for the Joint Enterprise Defense Infrastructure, an effort by the Pentagon to unify its information-sharing infrastructure. It will affect every defense agency and all branches of the military services. Beyond IT, JEDI will set the stage for a new era of modern warfare. Accordingly, the Pentagon cannot afford to get the JEDI IT modernization implementations wrong as our national security and the safety of our troops in the field depends on access to modern computing.
The government doesn’t build stuff any more, it’s a procurement shop, so why not go with the best money can buy? It would a mistake to assume that the points raised in the source article, and more, have not been addressed by those with first hand knowledge. The government is placing a lot of trust in ‘someone else’s computer,’ but having said that, ‘someone else’ does have a vested interest in providing reliable and secure capabilities, and can afford to hire and retain top technical talent (something the IC struggles with). Scenarios – reasonable and movie-plot type – that apply to Amazon or Google apply to any facility run by the gov’t as well (see American Airlines Flight 77, 09/11/2001).
Most local industrial and manufacturing organisations have moved in recent years to upgrade Operational Technology (OT) environments to advanced and connected modern Industrial IoT (IIoT) systems that support automation, remote monitoring and analytics. However, some of these OT systems are decades old, designed in a pre-cyber risk era, and are vulnerable to malware and other cyber threats. The very connectedness that enables smarter operations also expands the organisation’s risk profile, making systems that worked historically suddenly interconnected and highly vulnerable devices that can be compromised remotely. Critical infrastructure is being increasingly targeted by cyber criminals, with a reported 51% of organisations experiencing a SCADA/ICS security breach within the past 12 months.
Our standard of living is far more precarious than you might expect. The effort required to ‘brick’ a factory or negatively impact at least some element of a critical infrastructure provider for a period of time via an IoT vector is nominal. Common security IT security practices, ill-adapted to IoT environments, can have the same (unintended) effect. The obscurity and complexity of such systems is not going to be an effective defense for long, if that day has not already past. “Securing” OT/IoT is not really a thing at this stage, and won’t be for some time. Our best course of action now and going forward is to improve the resilience of such systems so that the impact of malicious action is brief and infrequent.
If you’re going to the play the “AI” drinking game at RSA Conference 2019, you may not make it out alive. Ahead of the industry’s largest trade show in San Francisco, vendors are already touting AI-based solutions meant to address one of the industry’s most pressing issues: a scarcity of workers qualified to defend against cyberattacks. Over the past week, both Palo Alto Networks Inc. PANW, -0.93% and Microsoft Corp. MSFT, -0.28% announced new AI-branded services to address an often-cited lack of cybersecurity workers qualified to keep on top of an exponentially growing number of cyberattacks.
Work at scale, or go home. Speed and scale are the two factors that contribute the most to cyber defensive efforts. The faster you can respond the less of an impact an attack can have; the more systems and people you can defend at any one time the poorer the ROI for attackers. AI, done properly, can help in both regards, given that we’re not going to address the human talent factor any time soon. Having said that, “properly” is the rub. A room full of PhDs hidden in a back room rocking a spreadsheet that drives a blinky-dashboard in the demo room isn’t going to cut it.
Empowered by new authorities provided by the White House and Congress for DoD to operate in this space, Cyber Command has followed a new approach of “defending forward,” essentially fighting adversaries in networks before they manifest themselves in U.S. networks. The debate over DoD’s role in homeland defense from a cyber perspective came to a head in 2017 when Sen. John McCain,R-Ariz., clashed with a top defense official, who argued that the department should not take a leading role when it comes to election security because it does not fall under the banner of defending the homeland.
The Navy isn’t responsible for defending my canoe. Everyone loves these surface-level discussions; no one wants to be reminded that cyberspace has physical underpinnings, which is civilian owned and operated. “Cyberwar?” That sort of nonsense would end tout de suite if an ISP decided it was interfering with revenue generation. Both sides could put forth arguments that the other side’s failures at defense make them unsuitable protectors of the realm, but the fact remains that the Internet is not national (or nationalized) and if we’re to continue to extract maximum value from it, it shouldn’t be. Risk is the price we pay for the liberties we enjoy. This is true in meat-space and cyberspace.
About the Author
Michael Tanji spent nearly 20 years in the US intelligence community. Trained in both SIGINT and HUMINT disciplines he has worked at the Defense Intelligence Agency, the National Security Agency, and the National Reconnaissance Office. At various points in his career he served as an expert in information warfare, computer network operations, computer forensics, and indications and warning. A veteran of the US Army, Michael has served in both strategic and tactical assignments in the Pacific Theater, the Balkans, and the Middle East.
Informing your decisions with actionable intelligence
Informing your decisions with actionable intelligence