Was something missing from the Cisco Annual Cybersecurity Report?

security compromizeAccording to Cisco’s 2018 Annual Cybersecurity Report:

  • “Burst attacks” or short DDoS attacks affect 42% of the organizations studied
  • Insider threats are still a huge issue
  • More Operational Technology and IoT attacks are coming
  • Hosting in the cloud as a side benefit of greater security
  • Nearly half of security disks come from having multivendor environments
  • New domains tied to SPAM campaigns

Many of these findings seem like common sense or in some ways in CISCO’s interest at first glance, but this 60+ page report goes into much greater detail than these one-liners. It breaks down the analysis by region and time and concludes about the difficulties of cyber defense:

“One reason defenders struggle to rise above the chaos of war with attackers, and truly see and understand what’s happening in the threat landscape, is the sheer volume of potentially malicious traffic they face. Our research shows that the volume of total events seen by Cisco cloud-based endpoint security products increased fourfold from January 2016 through October 2017”

The breadth and volume of attacks can overwhelm any organization and it is not a case of ‘if’ but ‘when’.

One thing I didn’t see mentioned at all was cryptojacking, the unapproved leveraging of processing cycles for mining cryptocurrency. This form of cybersecurity risk affects large entities as well as individuals through their access of websites. Generally, this is less destructive than the previous cyber attack methods and may even be seen as an alternative to advertisements on sites, but it seemed odd to me that this rapidly advancing trend wasn’t mentioned.

The report is still worth looking over.


NIST standards draft for IoT Security

IoTThe draft version of NIST’s “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)” was  released this week and is targeted at helping policymakers, managers and standards organizations develop and standardize IoT components, systems and services.

The abstract of this 187 page document states: “On April 25, 2107, the IICS WG established an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT. This Report is intended for use by the IICS WG member agencies to assist them in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT. Other organizations may also find this useful in their planning.”

The main portion of the document is in the first 55 pages with a much larger set of annex sections covering definitions, maturity model, standards mappings… that will be likely of great interest to those strategizing on IoT.

The document is a great starting point for organizations wanting an independent injection of IOT security perspectives, concerns and approaches. My concern though is the static nature of a document like this. Clearly, this Information Technology area is undergoing constant change and this document will likely seem quaint to some very quickly but be referenced by others for a long time in the future. A wiki version may make this more of a useful, living document.

Comments on the draft are due by April 18. Reviewers are encouraged to use the comment template, and NIST will post comments online as they are received.

AWS Redshift and analytics?

data insightRecently, I had the opportunity to test out Amazon Redshift. This is a fast, flexible, fully managed, petabyte-scale data warehouse solution that makes it simple to cost effectively analyze data using your existing business intelligence tools. It’s been around for a while and matured significantly over the years.

In my case, I brought up numerous configurations of multi-node clusters in a few minutes, loaded up a fairly large amount of data, did some analytics and brought the whole environment down – at a cost of less than a dollar for the short time I needed it.

There are some great tutorials available and since Amazon will give you an experimentation account to get your feet wet. You should be able to prove out the capabilities to yourself without costing you anything.

The security of the data is paramount to the service, since it is available in public AWS as well as GovCloud and can be configured to be HIPAA or ITAR compliant… Data can be compressed and encrypted before it ever makes it to AWS S3.

You can use the analytic tools provided by Amazon or use security groups to access your data warehouse using the same tools you would use on-site. During my testing, I loaded up both a large star schema database as well as some more traditionalize normalized structures.

Since this is only a blog post, I can’t really go into much detail and the tutorials/videos are sufficient to bootstrap the learning process. The purpose of this post is to inform those who have data warehouse needs but not the available infrastructure that there is an alternative worth investigating.


Got the VPN working in my new house

vpnNow that I’ve moved into my new house, I wanted to get a VPN on the Raspberry Pi working. Having a VPN will allow me to log into my home network securely, no matter where I am. Just thought I’d document the process I used, in case it is useful to anyone else.

The process is straightforward.

  1. First, I wrote down the address of my router and assigned my Raspberry Pi a fixed IP address on my LAN.
  2. Next, I got an account with a Dynamic DNS provider. This is not necessary, but does make using the VPN more useful, if your ISP ever changes your IP address. I used to use DuckDNS, but found out that my router had an interface in the security settings to noIP, so I used noIP. I defined my address information on the Dynamic DNS system. Now whenever the router sees that the address has changed, it should update the domain I have defined. I can just use that address to reach the VPN server.
  3. I installed Raspian on my Raspberry PI and then used the pivpn command to set it up:
    curl -L https://install.pivpn.io | bash
  4. This process is well documented on the pivpn site. Once that was completed, I made sure the Pi was up to date with the updated command:
    sudo apt-get upgrade
  5. Next you need to go into your router and defined the dynamic DNS information as well as define the port forwarding to your Raspberry Pi
  6. Now you can use the pivpn -a command on the Raspberry Pi to create a new certificate for each device that will use the VPN.
  7. Then I installed OpenVPN on the devices (android, windows, linux…) and provided them the key file created in step 6.

That’s a very high-level overview of the process. The VPN allows me to see the screen, access files… just like the device was on my home network, when I am away.


Hosts file for your protection

securityWith the recent rash of security concerns (across all platforms) I was looking into what can be done to route at least some of the nefarious traffic to the bit bucket. So I thought I’d write a brief post about the effort.

Most people are aware that DNS servers change the more user friendly internet addresses like yourbusiness.com to an IP address that computers can work with more effectively (e.g., 192.x.x.x). We can use this process to provide a bit more safety.

There are two simple ways you can try to subvert addresses pointing to bad locations. One is to use a domain name server that knows about bad services and provides a safe place to route the traffic.

IBM recently announced its quad 9 ( DNS server. The Global Cyber Alliance (GCA) has partnered with IBM and Packet Clearing House to launch this free public DNS service. It intended to block traffic to domains associated with botnets, phishing attacks, and other malicious hosts. They continue to update it as new porly behaving addresses are discovered.

The other technique is to place entries in the hosts file on your machines. The hosts file actually gets a first shot at interpreting address. There are organizations that maintain HOSTs file that you can download, containing known ads servers, banner sites, sites that give tracking cookies, contain web bugs, or infect you with hijackers. Here are web sites for organizations that produce these hosts files:

Life hacker had an article about modifying your local hosts file, that is still valid and may be worth looking at if you’re thinking about adding this level of protection.

This all came to mind over the last few weeks, since Steve Gibson’s Security Now! podcast mentioned some new user tracking software that can be easily thwarted with a few hosts file entries.



Could Blockchain be at the center of IoT security?

Blockchain can be used for many things… Blockchain technology has the potential to reduce costs, improve product offerings and increase speed for banks, according to a recent report from the Euro Banking Association (EBA). If you’d like a nice overview of blockchains and bitcoin, there’s one on Khan Academy.

Blockchains can be used to keep track of transfers and to ensure that the data collected has gone through a verification process. One of the properties is that the blockchain is a globally distributed database that anyone can add to, but whose history no-one can modify.

This feature could be very valuable for IoT applications where there is data coming in that you would like to both verify and keep for predictive analytics… IBM has been looking at this for a while, since one of the security concerns has been that nefarious data sources could either modify the incoming data or change the data history. Blockchain techniques could make that almost impossible. One of the issues when you have an abundance of data coming into the enterprise is that the length of the chain could expand to the point where maintaining the chain costs more than the data is worth so the processing of the chain would probably need to be outside the IoT sensors/devices themselves. The devices would need to have their own private/public keys though if the validation goes all the way to the edge.

A simple way to think of the block chain for data transactions…


Where each block likely contains:

  • A timestamp
  • The hash of the previous block as a reference (except the Genesis Block)
  • A pointer to the data transactions hash
  • The block’s own hash
  • The Merkle Root – a hash of all the hashes in the block

This is definitely quite a bit of security but when needed it should be sufficient…


In a security breach, the perspective of whose responsible is shifting…

securityThe implications of boards holding Chief Executive Officers accountable for breaches will be something to watch. Recently a survey of 200 public companies shows that corporate boards are now concerned about cybersecurity and willing to hold top executives accountable.

Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise.  A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion.  There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.

That is likely one reason why in job postings today there are an abundance of openings in the security space.