National Cyber Strategy of the United States of America

securityIn case you’ve not heard about it, the White House released the PDF – National Cyber Strategy of the United States of America.

I’ve not read through the whole thing, the intro starts out with

America’s prosperity and security depend on how we respond to the opportunities and challenges in cyberspace. Critical infrastructure, national defense, and the daily lives of Americans rely on computer-driven and interconnected information technologies. As all facets of American life have become more dependent on a secure cyberspace, new vulnerabilities have been revealed and new threats continue to emerge.

Looks like a document worth understanding.

It defines four pillars for a national approach to cyber-security:

  1. Protect the American People, the Homeland, and the American Way of Life
  2. Promote American Prosperity
  3. Preserve Peace through Strength
  4. Advance American Influence

It will be interesting to see how the impacts of actions along these lies will be measured and felt — something technologists should watch.

Advertisements

Symantec Security Report

security compromizeAbout a month ago, I wrote a post about a new Cisco security report that was totally missing the concept of cyber mining and its impact on home and server devices.

I just had a chance to look at Symantec’s annual security center report and it went overboard the other way. Quoting statistics like an increase in coinmining by 8,500% — using the law of small numbers to provide headlines, since coinmining was in its infancy a year ago.

Other than that little bit of histrionics, the report did more effectively cover the concerns that I’ve seen over the last year, with significantly greater software supply chain attacks and mobile malware incidents (their number is up by 54%).

I thought the report well worth reviewing.

Was something missing from the Cisco Annual Cybersecurity Report?

security compromizeAccording to Cisco’s 2018 Annual Cybersecurity Report:

  • “Burst attacks” or short DDoS attacks affect 42% of the organizations studied
  • Insider threats are still a huge issue
  • More Operational Technology and IoT attacks are coming
  • Hosting in the cloud as a side benefit of greater security
  • Nearly half of security disks come from having multivendor environments
  • New domains tied to SPAM campaigns

Many of these findings seem like common sense or in some ways in CISCO’s interest at first glance, but this 60+ page report goes into much greater detail than these one-liners. It breaks down the analysis by region and time and concludes about the difficulties of cyber defense:

“One reason defenders struggle to rise above the chaos of war with attackers, and truly see and understand what’s happening in the threat landscape, is the sheer volume of potentially malicious traffic they face. Our research shows that the volume of total events seen by Cisco cloud-based endpoint security products increased fourfold from January 2016 through October 2017”

The breadth and volume of attacks can overwhelm any organization and it is not a case of ‘if’ but ‘when’.

One thing I didn’t see mentioned at all was cryptojacking, the unapproved leveraging of processing cycles for mining cryptocurrency. This form of cybersecurity risk affects large entities as well as individuals through their access of websites. Generally, this is less destructive than the previous cyber attack methods and may even be seen as an alternative to advertisements on sites, but it seemed odd to me that this rapidly advancing trend wasn’t mentioned.

The report is still worth looking over.

NIST standards draft for IoT Security

IoTThe draft version of NIST’s “Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)” was  released this week and is targeted at helping policymakers, managers and standards organizations develop and standardize IoT components, systems and services.

The abstract of this 187 page document states: “On April 25, 2107, the IICS WG established an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT. This Report is intended for use by the IICS WG member agencies to assist them in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT. Other organizations may also find this useful in their planning.”

The main portion of the document is in the first 55 pages with a much larger set of annex sections covering definitions, maturity model, standards mappings… that will be likely of great interest to those strategizing on IoT.

The document is a great starting point for organizations wanting an independent injection of IOT security perspectives, concerns and approaches. My concern though is the static nature of a document like this. Clearly, this Information Technology area is undergoing constant change and this document will likely seem quaint to some very quickly but be referenced by others for a long time in the future. A wiki version may make this more of a useful, living document.

Comments on the draft are due by April 18. Reviewers are encouraged to use the comment template, and NIST will post comments online as they are received.

Hosts file for your protection

securityWith the recent rash of security concerns (across all platforms) I was looking into what can be done to route at least some of the nefarious traffic to the bit bucket. So I thought I’d write a brief post about the effort.

Most people are aware that DNS servers change the more user friendly internet addresses like yourbusiness.com to an IP address that computers can work with more effectively (e.g., 192.x.x.x). We can use this process to provide a bit more safety.

There are two simple ways you can try to subvert addresses pointing to bad locations. One is to use a domain name server that knows about bad services and provides a safe place to route the traffic.

IBM recently announced its quad 9 (9.9.9.9) DNS server. The Global Cyber Alliance (GCA) has partnered with IBM and Packet Clearing House to launch this free public DNS service. It intended to block traffic to domains associated with botnets, phishing attacks, and other malicious hosts. They continue to update it as new porly behaving addresses are discovered.

The other technique is to place entries in the hosts file on your machines. The hosts file actually gets a first shot at interpreting address. There are organizations that maintain HOSTs file that you can download, containing known ads servers, banner sites, sites that give tracking cookies, contain web bugs, or infect you with hijackers. Here are web sites for organizations that produce these hosts files:

Life hacker had an article about modifying your local hosts file, that is still valid and may be worth looking at if you’re thinking about adding this level of protection.

This all came to mind over the last few weeks, since Steve Gibson’s Security Now! podcast mentioned some new user tracking software that can be easily thwarted with a few hosts file entries.

 

Could Blockchain be at the center of IoT security?

Blockchain can be used for many things… Blockchain technology has the potential to reduce costs, improve product offerings and increase speed for banks, according to a recent report from the Euro Banking Association (EBA). If you’d like a nice overview of blockchains and bitcoin, there’s one on Khan Academy.

Blockchains can be used to keep track of transfers and to ensure that the data collected has gone through a verification process. One of the properties is that the blockchain is a globally distributed database that anyone can add to, but whose history no-one can modify.

This feature could be very valuable for IoT applications where there is data coming in that you would like to both verify and keep for predictive analytics… IBM has been looking at this for a while, since one of the security concerns has been that nefarious data sources could either modify the incoming data or change the data history. Blockchain techniques could make that almost impossible. One of the issues when you have an abundance of data coming into the enterprise is that the length of the chain could expand to the point where maintaining the chain costs more than the data is worth so the processing of the chain would probably need to be outside the IoT sensors/devices themselves. The devices would need to have their own private/public keys though if the validation goes all the way to the edge.

A simple way to think of the block chain for data transactions…

blockchain

Where each block likely contains:

  • A timestamp
  • The hash of the previous block as a reference (except the Genesis Block)
  • A pointer to the data transactions hash
  • The block’s own hash
  • The Merkle Root – a hash of all the hashes in the block

This is definitely quite a bit of security but when needed it should be sufficient…

In a security breach, the perspective of whose responsible is shifting…

securityThe implications of boards holding Chief Executive Officers accountable for breaches will be something to watch. Recently a survey of 200 public companies shows that corporate boards are now concerned about cybersecurity and willing to hold top executives accountable.

Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise.  A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion.  There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.

That is likely one reason why in job postings today there are an abundance of openings in the security space.