Winn Writes & Wrants

SS: Cyberwar. We knew. from The Security Awareness Company on Vimeo.

The DHS announced it wants to hire 1,000 security experts to defend the critical infrastructure of the U.S.  Then a number of criticisms appeared saying, “there aren’t 1,000 security experts in the whole wide world!”

Oops!

Security is a Wide Area and there are all sorts of experts – not one master set of skills that you can find on any single resume.

A few years ago ~1994 I was at dinner with Mr. Ex. (Don’t want to embarrass him cause he still claims he is the smartest of us all.)  I had only been in the field about 10 years and was learning… as we all still are every day. He told me, “I know everything there is about security….” ad nauseum.  NONE OF US DO! (I choked on my Ratatouille but kept PC-ish and moved my plate to another table.)

The error here is with DHS PR. Some wonk used the media term “security expert” (sans definition) and off we go in the wrong perception-description; just as we have allowed the media to blame every security incident on ‘hackers’ – clearly a massive nom-de-guerre error by any standard.

Once we allow them to lock in the term “security expert” as a catch all for anyone who can find the ‘on’ button or push Defrag or even do slick coding hacks, we are in trouble. No more than a company (or kinetic force projection outfit) can run on one set of expert skill sets, security itself (like any vertical technical discipline) is a highly granulated suite of skills that must be integrated.

A CND/CNA (Computer Network Defense/Attack) suite of expertise includes (at a broad stroke) many skills needed to deploy and Information Army

- Mapping People

- Cracking People

- Coding (CNA & CND)

- Reverse Engineering

- Social Engineering

- C3I

- Sniffers

- Readers

- Research

- Moles (yeah, C****, I****, P****** has none of those in our CIs)  (Note: the way the national letters come out…

- Analysts/Synthesizers

- Manufacturing (CNA)

- Distribution (CND/CNA)

- PR (!! Techy and accurate, not PC)

- Education

- Awareness

- Perception Management & PsyOps

- Failure Modeling

- Process Control

- Reconstitution

- DR

- Layered Technical Management.

- The interdisciplinary expertise needed from psychology, neural behavior, etc. etc. (Security is not technical, solely, not is it?)

- Yeah… and more good PR people who speak geek. (Not the usual wonks)

No one can do it all. No one has all of these skills. Period.

I worry much less about DHS acquiring 1,000 people with skills than them being able to find the right management who understand security, the temperament of the geek community and can last more than a handful of months in a culture designed to fail.

There are millions of people with the varied skills a well-organized Information Army (CND/A) needs. There are decidedly fewer people who know how to, or have even ever thought about to taxonomize the skills and organize them (skills and people) like a true business.

Get a free download of ‘Information Warfare’ at:  http://www.winnschwartau.com/downloads.html and take a look at Chapter 16.

Winn

Sure… Let’s Shut Down the Net!

I’ve been traveling in Europe and didn’t have a chance to comment. Well, I really chose not to work so much.

Sure, why shouldn’t we shut down the Internet?

Of course, I am referring to the hoopla about various interpretations of whether the U.S. government should be able to turn off the Internet in case of severe cyber-attack. A few problems to consider:

• What is ‘Severe’? Who decides?
• Can the Internet – even the U.S. portion - actually be turned off?

I’ve seen various discussions on these points but for now, let’s pretend that they don’t exist. There are other issues.

1. We teach home and business users that if they think they are infected with malware to disconnect their Ethernet or wireless connection immediately to stop the propagation. No one has a problem with that. It makes sense.
2. On 9/11, we shut down all air traffic in a matter of hours. No one had a problem with that. (Being stuck in Fargo, though, might have been a hassle. Think the Steve Martin movie, ‘Planes, Trains and Automobiles.’

Unplugging from hostility is not a new concept. The fundamental question in this case is, which is worse? Disconnecting for a time and reconstituting with control, or allow an attack to continue while we try to combat it and use the Net at the same time.

This returns to the questions of ‘what is Severe?”

From my view, disconnecting is a must-have option that should be on the table at all times. It makes sound engineering sense. In complex systems, isolation, analysis, repair and reconstitution (reconnection) is the only way. How else can you figure out what’s really wrong and how much damage has been done? Power companies have done it for years. The tacos did it in 1991 when the SS7 switches collapsed. Lasted a few hours.

Should the feds decide to unplug the banks or should the collective wisdom of the Fed Reserve and leading financial institutions make that decision in a defensive step of self-preservation?

The problem I have with the majority of what I hear is the fear mongering of nationalization by technically ignorant politicos with media access and an agenda.

The question should be, “How do we properly plan” for such an eventuality instead of merely spreading unfounded fear.

A cop comes to your house. “We need you downtown, now.” And you’re expected to drop everything… even though you have no legal obligation to do so. Authority says to comply.

“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.

“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”
“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective?

You bet.

I’ve been doing this for a long time, and the latest hack into a DHS coordination and planning network was really no surprise. If it wasn’t them it was going to be… what some nation-state keep screwing with the FAA systems (with 3,800+ holes)… and that’s really bad.

Point is, back in 1987, Congressmen (people?) Glickman and Valentine were the point men on the CSA, Computer Security Act of 1987. (This is the committee that told me cyberwar/terrorism/etc. was a figment of my imagination. Quality folks, there.) One major goal of the Act was called “C2 by ‘92”.

In the old security parlance of the Orange Book, C2 security was good enough for “sensitive but unclassified” information. Big push. Big initiatives. Big goose egg of security tongue wagging.

So, the DHS is downplaying this sensitive but unclassified hack as, “no information can be posted on HSIN that would cause anything more than minor damage to the homeland security mission.”

I am sorry. No, they should be!

Any data leak is potentially monstrous. So, this data was C2. Fine. Then another C2-level hack here and another there… and you glue together all of the data from these hacks and suddenly the amalgamated data is MJ-12 (alien technology) secret.

OK, you get the point.

Data in isolation may seem worthless, but a cut, a snip and a paste later you’ve got yourself a database worth boatloads to the bad guys.

What is even worse, that these days, the flipping DHS can’t practice Security 101 and avoid getting hacked? It’s not that hard… if you let the geeks do their jobs.

I find it immeasurably embarrassing that the guys and gals who are supposed to protect us can’t even protect themselves to the most minimal standards.

Of course the public information doesn’t say whether the situation was caused by a poorly configured machine (of what OS, by the way), unpatched vulnerabilities or the same type of criminal stupidity that allowed the details of Obama’s Helo to get into the hands of the Iranians.

Come on people: every bit of data is valuable. Just cause you don’t see that doesn’t make it true.

The whole political maelstrom in Washington is entirely too binary for my taste.
Should we have a cyber czar or not?

First of all, this is an old age discussion. Many of us lobbied for national cyber leadership nearly two decades ago, but Congress and the White House said, “it’ll never be an issue.”

Wrong on count one.

Two. This binary thing, from Ms. Hathaway to Obama’s House to the NSA or DHS… this is the modern equivalent of eminent domain, the 19th century national political dynamo that resulted in Native American genocide. This is a political land grab for control… and that is not what we need now.

What we need is Leadership. We need the kind of leadership… not control… that will find realistic, real-politik, global sensibilities and balance them  against our national (Western?) interests. Not to mention, some 3 million geeks (good hackers, please…) will need to be mollified and included in the process.

I sat with some Fed-types at InfowarCon a couple weeks ago and told them they had to get over the fact that the very people they need to work on national cyber security are the least likely they are to hire… under current policies.

For example: What government security clearance goon is going to approve a metal-detecting, pot-smoking, un-educated (formal) smelly character with Asperger’s Syndrome to develop technology to bring the Dubai Tower elevators to a grinding halt… and be assured he won’t attack the Sears Tower in response to a billing error?

Those are the folks we need, and only a major re-think of what we mean by leadership is going to allow us to approach national security in the asymmetrical way we must… if we ever expect to successfully defend our cyber-borders.

Recent studies show that the SMB (Small Medium Business) sector is getting nailed by botnets and hostile code with greater severity than Big Business. They don’t have the budgets, IT staff or security experts on staff and so, well, they get nailed.

In fact, a friend of mine runs a fairly large construction company in British Columbia, Canada. He is the epitome of the SMB market. He called me with ‘Troubles’.

His network was at a standstill. His e-mail was down… and he was freaking out. His IT guy, a friend of mine who is not a security person, wanted me involved.

The answer was comparatively simple, inexpensive and workable.
1.    Keep your internal data and applications server(s).
2.    Keep your existing end-point applications.
3.    Use the usual mess of A/V, spyware detectors and so on at the proper places in the internal network.
4.    Get rid of your own mail server. Outsource it for like – what - $10 month? Let them be responsible. If you want your QoS to be higher, pay $100 month. Just admin the user accounts and use a decent client at the end points.
5.    Get rid of your Sharepoint server, your internal collaberation servers ad nauseum. Write down a set of specifications and features you want. Search for the SaaS Cloud Based product that meets the majority of your needs. (Nothing is perfect.) Outsource it – SaaS – and let them have the headaches.

Dave took my advice. He saved $15,000 on new hardware. He saved dozens of hours of techy time. He lowered his admin time that our friend was handling (to his relief, too). He set up a Cloud based collaborative environment for his back office intranet for $149 month.

He’s happy. And much more secure than ever before.

Boy the media likes being wrong. It’s H1N1 not swine, pork, pig or ham flu. The FUD frenzy caused Egyptians to kill off enough pork to infect all of Afghanistan’s poppy fields for a year. But never mind…

They think the swine… oops… H1N1 might come back in a few months or next season with a potential vengeance, mutated, resistant and the FUD also says that more than a billion people could be caught up in the pandemic.

If this was a computer virus/worm like the Conficker or other hostile code that we know about in advance, we’d start reverse engineering the code and tell folks to behave themselves more than ever.

But H1N1 presents another security issue. Let’s hypothesize that this is all real and that masses of people are going to get sick-sicker-sickest.

How do you, the corporate exec, security guy, or whatever plan for 15-30% of your staff being out with the flu? Some companies use temporal dispersion to avoid having all execs and mission critical folks sitting in one physical location every day.

But will the same rules apply with a pandemic?

I don’t begin to have an answer other than this: every company that has global presence with volumes of on-line people integral to their business continuity had better get a game plan started.

I’ve always called it Graceful Degradation. Technically this means, “how can I conduct business with certain key portions of my infrastructure broken.”

When it comes to H1N1, Graceful Degradation needs to apply to the human Domain of the Integrated Security Triad.

Think about. Or better yet… assign it to HR and make them come up with a plan!

A cop comes to your house. “We need you downtown, now.” And you’re expected to drop everything… even though you have no legal obligation to do so. Authority says to comply.
“Yes, you can afford this mortgage… and we can always refinance in a couple of years…” Expert authority speaks and too damned many people listened. (Someone – a lot of someones need to go to jail for that one.)

Too many people are conditioned to react to authority by cowering to demands, even if they border on or exceed the ridiculous.
“RESPOND TO THIS EMAIL OR YOUR PAYPAL ACCOUNT WILL BE CLOSED.”

“IF YOU DON’T ANSWER THIS RIGHT AWAY YOUR BANK ACCOUNT WILL BE SEIZED.”

The sheep or lemming mentality – whatever you call it, is responsible for the astounding findings that 23% of corporate workers will fall to spear phishing attacks. So, I, as the bad guy, target “YourBank.Com” with 20,000 workers. Statistically, 4,600 of them will fall for my scam.

They might provide personal data; they might respond to the e-mail or click through to the hostile web site.

Worse, they will <Click> on some unknown “REPLY URGENTLY” link and download and install a hunk of nasty software that becomes the beachhead for a massive data breach.

The Intrepidus Group’s study showed a few things quite clearly:

• Intimidation and authority in e-mails work. 23% positive response is insanely unacceptable.
• Current corporate user training is not effective.
• Companies are not practicing penetration studies against people; just technology. Stupid, stupid, stupid.
• People are sheep, and we give them incredible access to information and technology when they are not skilled enough to use it.

What to do?
I’ve done social (human) penetration testing in many forms. I have also gotten my clients to agree to fire at least 10% of the people who fail. Extreme? Yes. Effective? You bet.

I am a phisher and scammer.
I had put up a couple of my laptops for sale on my local Craigs List. Sold ‘em that PM.

I soon received a couple of “I want to buy” from a couple of guys in Nigeria. They offered more than I asked to include shipping to Sub-Saharan Africa. They wanted my PayPal account which is fine, cause it’s just an e-mail address.

Then I get these emails from  ‘PayPal’ to an address I do not use with PayPal itself, about “It’s paid” “Ship Now” and so I am having gobs of fun winding these ***holes up. They are threatening legal action from PayPal, and acting all tough. The cool part is that I am able to document it all. I’ll post it when I get through this game and you can distribute it to your users, and family nubes to help buy them a clue.

This is fun!