Blog

Get the most innovative insights

Sort By

Top 10 Data Loss Prevention Pitfalls

In this post, we will discuss the top ten reasons many Data Loss Prevention (DLP) Programs fail and how organizations can address those issues to ensure Data Loss Prevention Systems can be leveraged to build a solid foundation for an Information Security program. Doing so will position an organization to build more advanced information protection capabilities like Data Protection in the cloud, and rights management and encryption strategies to protect information throughout its life cycle.

Introduction

What is Information Security? Information Security as a term is often conflated with the term cybersecurity. In my view, cybersecurity refers to the overall program an organization develops in order to protect from the broad spectrum of cyber threats an organization may face. Information Security is a discipline inside cybersecurity which focuses on protecting specific information that an organization has whose inappropriate access or disclosure can cause irreparable harm to an organization. Those informational assets, which I refer to as Critical Data Assets, must be afforded additional levels of protection from commodity data in order for an organization to prioritize security initiatives to protect what matters most.

In that context, the foundational element of any effective Information Security program is the ability to distinguish critical information from commodity information. That foundational element is facilitated by content analytics, which is most often accomplished through a technology known as Data Loss Prevention.

Data Loss Prevention is not a new technology, it has been around for 15 years. However, despite the fact that Data Loss Prevention has been available for quite some time, it remains one of the more difficult technologies to deploy and leverage effectively as it is fundamentally different than other cybersecurity tools. DLP requires business alignment in a way that many other tools like firewalls, endpoint security, and Intrusion Prevention Systems do not.

Failing to Involve Business Stakeholders

Data Loss Prevention programs are different and must be established differently than other cybersecurity products. Data Loss Prevention is not a traditional security tool. It is a business tool facilitated by technology. Consequently, it is important to involve business stakeholders early in the process.

Information is not all of equal value, nor should it be protected in the same way. Information derives its value based on the business impact it may have. For example, if Intellectual Property is lost or improperly disclosed, there will be an impact on the profit and loss statement of at least one business unit. Therefore, in order to quantify the risk to a Critical Data Asset, the business unit that would be most affected by that loss must help define what impact that loss would mean.

At its core, security is the reduction of the impact of something bad happening or the likelihood that a negative event would have on an organization. Therefore, defining the risks for Critical Data Assets is critical to determining the appropriate level of security spending to secure that asset. As the saying goes, you shouldn’t spend a dollar to protect a nickel, but spending a nickel to protect a dollar has a favorable Return on Investment. Many Information Security programs are ineffective because equal spending is applied to all assets. Involving business stakeholders is critical to ensure security priorities are aligned to business priorities.

Further, in order for Critical Data Assets to be leveraged to their full business potential, they must be stored, used, and often shared. Ensuring they are stored properly, used in the proper manner by the proper people, and only shared with appropriate internal and external parties, requires business stakeholders to define the authorized business processes with respect to those assets.

Many Information Security programs are doomed from their inception because the program does not involve business stakeholders in defining the program. If you do not define what is authorized and what should be done in the event of unauthorized activity, how can you possibly protect those assets?

Failure to Define Governance and Working Group Structure

Business unit involvement in Data Loss Prevention programs must not end with the definition of the program. Business units are best positioned to define authorized and unauthorized behavior. Those behaviors do not remain static and continued business unit involvement is imperative to building and maintaining an effective program. Business unit involvement is divided into two separate functions which often involve two distinct groups of people: Governance and Working Groups.

Governance Groups are responsible for the strategic direction of the program and generally made up of business unit leaders. They generally meet quarterly and define the business objectives of the program and milestones for specific compliance or risk reduction initiatives.

Working Groups are responsible for the daily activities necessary for the ongoing support and maintenance of the program. These groups generally consists of security professionals responsible for the operation of the program along with select delegates from the Governance Group. The group is responsible for day to day Incident Response with respect to events that have potential business impact.

These groups generally work together on a day to day basis and have a standing meeting on a weekly or bi-weekly cadence to discuss the operations of the program including activities such as tuning the system.

Failure to Identify Critical Information

Many organizations that do not involve business stakeholders often fail to define what Critical Information is. As a result, programs only protect information that is regulated. This may or may not be appropriate based on the nature of the operations of the organization. Failure to define what is critical to an organization results in programs that spend too much to protect commodity information while failing to appropriately protect what is most critical to the organization.

No Information Security program can be effective if it is not focused on protecting the most important information. This seems like a relatively simple statement, but many programs fail to put forth the appropriate level of effort to define their assets.

Failure to Set Long-Term Objectives With Respect to Data Assets

Identifying Critical Data Assets is not enough. In order to transition from Data Loss Monitoring to Data Loss Prevention an organization must define the actions necessary to protect information once its identified. These protection initiatives fall into two categories: Systematic Protection and Incident Response.

Systematic Protection is leveraging technical responses such as blocking, user notification and confirmation, and quarantining, among other capabilities. Systematic protections have a low tolerance for False Positives as inappropriate actions can have a detrimental business impact that should be avoided at all reasonable cost.

Incident Response Protection is the ability to discover potential issues and respond manually, but quickly enough to prevent harm from coming to the business. Incident Response protections have a higher tolerance for False Positives and are often appropriate for Critical Data Assets that have a lower tolerance for False Negatives or have a likelihood to be intentionally compromised. Systematic responses to information being intentionally compromised often serve to tip off the attacker to the fact their activities are being monitored.

The reason it is important to determine the long term objectives with respect to each Critical Data Asset is that these decisions will impact strategic and tactical operations with respect to the program. Tuning activities and accuracy goals with respect to both False Positives and False Negatives are dictated by the intended response in the event of an incident involving the asset.

Many programs fail because they do not define response actions and policy tuning efforts are paralyzed by a desire to have very few false positives and absolutely zero false negatives. These are competing priorities and it’s impossible to meet both objectives. Successful programs balance these priorities by setting thresholds for systematic actions or creating two policies. One policy will be tuned to have very few false positives for the purpose of systematic actions. The other will be tuned to allow for very few false negatives in order to catch events that do not meet the more strict criteria to enable a system to take action in an automated fashion, which will be addressed through incident response actions.

Failure to Quantify Risk Against Critical Data Assets

Many organizations struggle to define Return on Investment for Information Security programs. You can quantify such a return, but in order to do so you must first quantify the risk against your critical data assets. The benefit side of the cost/benefit equation is determined by breaking down the risk treatment of an asset into acceptance, avoidance, and transference and then comparing the costs of executing those three strategies against that of mitigating any incidents to determine ROI. The organization can then analyze the amount of capital being spent on the mitigation strategy in order to define the Return on Investment.

Failure to Properly Staff the Program

Information Security talent is difficult to find. It is even more difficult to find security talent that is familiar with the specific discipline of Data Protection. As a result, organizations often understaff their programs and have poorly tuned policies as a result. This becomes a self-reinforcing problem as poorly tuned policies yield many more events than policies that are properly tuned and require more effort to sift through the False Positives to get to the incidents that matter. As a result, many failing programs are characterized by hundreds of thousands of events that are not triaged, missing real business issues that should be addressed.

Many successful programs are turning towards Managed Security Services Providers (MSSPs),like InteliSecure, who focus on Information Security programs to assist in the operation of a program to ensure all events are triaged in a timely manner in order to enable incidents to be responded to properly.

Failure to Tune Properly

Improper policy tuning in Data Loss Prevention programs is often a result of the failure to set long term objectives with respect to Critical Data Assets. However, even when those goals are properly set, organizations can struggle with the ability to tune DLP policies because the skill sets required to do so are relatively unique. Data Loss Prevention policy tuning is equal parts art and science, and the people performing the tuning must have the business acumen to interface with business stakeholders in order to ensure accurate tuning. The people I have just described are roughly as rare as a unicorn, and in today’s market for cybersecurity talent, if you could find a single person with all of these attributes, they would likely be prohibitively expensive to hire. More often, there are several people involved in policy tuning efforts, which also significantly drives up costs for internal staffing programs. This is another reason why many successful Data Loss Prevention programs leverage Managed Security Services Providers.

Failure to Review the Program on a Frequency

Information Security programs are as much about business as they are about security or technology. Since businesses evolve and change at an ever-increasing rate, the program must be built and operated in order to evolve with the business. In order to ensure the Information Security program remains aligned with the business, the program should be reviewed regularly. I generally recommend the governance group review the program and make changes as necessary on a quarterly cadence, and that the Critical Data Assets be re-evaluated on an annual basis.

Failure to Deploy Controls Across the Information Life Cycle

Many solutions are deployed as “Integrated DLP”, which is DLP as a feature of a different product. Common examples are integrated DLP as part of Microsoft Office 365, Integrated DLP as part of a Cloud Access Security Broker (CASB) technology, or Integrated DLP as part of a web gateway or firewall. The Integrated DLP approach generally means there are separate solutions and inconsistent rule sets, as well as responses across different channels such as email, network, web, CASB, endpoint, and Data at Rest (Storage). This inconsistency, or resultant programmatic gaps, often result in poor data protection and an exponentially higher cost of operating a program.

The ironic thing is that many organizations embark on the Integrated DLP journey in order to save money up front, but the increased cost of supporting several consoles for DLP and the time associated with manual correlation between systems quickly outpaces any up-front savings. Since the savings are one time and the increased costs continue in perpetuity, it quickly becomes a far more expensive solution that is far less effective. It is very similar to me saying that I will give you $400 today in exchange for you paying me $100 every month until you die. If you plan on living more than a few months, it really isn’t a good idea.

The reasons these systems are not effective is that the information needed to perform an investigation exists in several different databases without a credible way to correlate the information to establish patterns and risk profiles. As a result, many of the high impact incidents, which have a tendency to occur across multiple channels over a period of time, are missed and the overall value of the program is minimal.

Undefined or Inconsistent Incident Response

Many organizations are blissfully unaware of just how exposed they are before they put a Data Loss Prevention program in place. As a result, many don’t expect to find anything egregious and therefore do not invest the proper amount of time building a clear and consistent Incident Response process. I always hope that nothing egregious is going on, but in security we all must hope for the best while preparing for the worst. Failure to prepare for the potential of a major incident leads to an ineffective response.

Further, if the proper process isn’t well defined, incidents are often handled based more on relationships, politics, and power dynamics than they are based on the actual facts of the incident. Inconsistent response can lead to organizational risk exposure in a few ways. First, if incidents are improperly swept under the rug, the obvious risk is the organization may fail to respond to an impactful incident. Second, if incidents are not responded to consistently and action is taken on one user and not another, the organization may be exposed to litigation. It is far better to maintain and execute a clear and objective process from the outset of a program.

Conclusion

Many of the points mentioned above will also doom information security programs for firewalls, endpoints and intrusion prevention. For DLP, the failures mentioned highlight what I mentioned in my introduction; that DLP requires business alignment. Without this alignment, organizations will miss protecting the data that really matters – the critical data that significantly impacts their bottom line.

In this post, we will discuss the top ten reasons many Data Loss Prevention (DLP) Programs fail and how organizations can address those issues to ensure Data Loss Prevention Systems can be leveraged to build a solid foundation for an Information Security program. Doing so will position an organization to build more advanced information protection capabilities like Data Protection in the cloud, and rights management and encryption strategies to protect information throughout its life cycle.

Introduction

What is Information Security? Information Security as a term is often conflated with the term cybersecurity. In my view, cybersecurity refers to the overall program an organization develops in order to protect from the broad spectrum of cyber threats an organization may face. Information Security is a discipline inside cybersecurity which focuses on protecting specific information that an organization has whose inappropriate access or disclosure can cause irreparable harm to an organization. Those informational assets, which I refer to as Critical Data Assets, must be afforded additional levels of protection from commodity data in order for an organization to prioritize security initiatives to protect what matters most.

In that context, the foundational element of any effective Information Security program is the ability to distinguish critical information from commodity information. That foundational element is facilitated by content analytics, which is most often accomplished through a technology known as Data Loss Prevention.

Data Loss Prevention is not a new technology, it has been around for 15 years. However, despite the fact that Data Loss Prevention has been available for quite some time, it remains one of the more difficult technologies to deploy and leverage effectively as it is fundamentally different than other cybersecurity tools. DLP requires business alignment in a way that many other tools like firewalls, endpoint security, and Intrusion Prevention Systems do not.

Failing to Involve Business Stakeholders

Data Loss Prevention programs are different and must be established differently than other cybersecurity products. Data Loss Prevention is not a traditional security tool. It is a business tool facilitated by technology. Consequently, it is important to involve business stakeholders early in the process.

Information is not all of equal value, nor should it be protected in the same way. Information derives its value based on the business impact it may have. For example, if Intellectual Property is lost or improperly disclosed, there will be an impact on the profit and loss statement of at least one business unit. Therefore, in order to quantify the risk to a Critical Data Asset, the business unit that would be most affected by that loss must help define what impact that loss would mean.

At its core, security is the reduction of the impact of something bad happening or the likelihood that a negative event would have on an organization. Therefore, defining the risks for Critical Data Assets is critical to determining the appropriate level of security spending to secure that asset. As the saying goes, you shouldn’t spend a dollar to protect a nickel, but spending a nickel to protect a dollar has a favorable Return on Investment. Many Information Security programs are ineffective because equal spending is applied to all assets. Involving business stakeholders is critical to ensure security priorities are aligned to business priorities.

Further, in order for Critical Data Assets to be leveraged to their full business potential, they must be stored, used, and often shared. Ensuring they are stored properly, used in the proper manner by the proper people, and only shared with appropriate internal and external parties, requires business stakeholders to define the authorized business processes with respect to those assets.

Many Information Security programs are doomed from their inception because the program does not involve business stakeholders in defining the program. If you do not define what is authorized and what should be done in the event of unauthorized activity, how can you possibly protect those assets?

Failure to Define Governance and Working Group Structure

Business unit involvement in Data Loss Prevention programs must not end with the definition of the program. Business units are best positioned to define authorized and unauthorized behavior. Those behaviors do not remain static and continued business unit involvement is imperative to building and maintaining an effective program. Business unit involvement is divided into two separate functions which often involve two distinct groups of people: Governance and Working Groups.

Governance Groups are responsible for the strategic direction of the program and generally made up of business unit leaders. They generally meet quarterly and define the business objectives of the program and milestones for specific compliance or risk reduction initiatives.

Working Groups are responsible for the daily activities necessary for the ongoing support and maintenance of the program. These groups generally consists of security professionals responsible for the operation of the program along with select delegates from the Governance Group. The group is responsible for day to day Incident Response with respect to events that have potential business impact.

These groups generally work together on a day to day basis and have a standing meeting on a weekly or bi-weekly cadence to discuss the operations of the program including activities such as tuning the system.

Failure to Identify Critical Information

Many organizations that do not involve business stakeholders often fail to define what Critical Information is. As a result, programs only protect information that is regulated. This may or may not be appropriate based on the nature of the operations of the organization. Failure to define what is critical to an organization results in programs that spend too much to protect commodity information while failing to appropriately protect what is most critical to the organization.

No Information Security program can be effective if it is not focused on protecting the most important information. This seems like a relatively simple statement, but many programs fail to put forth the appropriate level of effort to define their assets.

Failure to Set Long-Term Objectives With Respect to Data Assets

Identifying Critical Data Assets is not enough. In order to transition from Data Loss Monitoring to Data Loss Prevention an organization must define the actions necessary to protect information once its identified. These protection initiatives fall into two categories: Systematic Protection and Incident Response.

Systematic Protection is leveraging technical responses such as blocking, user notification and confirmation, and quarantining, among other capabilities. Systematic protections have a low tolerance for False Positives as inappropriate actions can have a detrimental business impact that should be avoided at all reasonable cost.

Incident Response Protection is the ability to discover potential issues and respond manually, but quickly enough to prevent harm from coming to the business. Incident Response protections have a higher tolerance for False Positives and are often appropriate for Critical Data Assets that have a lower tolerance for False Negatives or have a likelihood to be intentionally compromised. Systematic responses to information being intentionally compromised often serve to tip off the attacker to the fact their activities are being monitored.

The reason it is important to determine the long term objectives with respect to each Critical Data Asset is that these decisions will impact strategic and tactical operations with respect to the program. Tuning activities and accuracy goals with respect to both False Positives and False Negatives are dictated by the intended response in the event of an incident involving the asset.

Many programs fail because they do not define response actions and policy tuning efforts are paralyzed by a desire to have very few false positives and absolutely zero false negatives. These are competing priorities and it’s impossible to meet both objectives. Successful programs balance these priorities by setting thresholds for systematic actions or creating two policies. One policy will be tuned to have very few false positives for the purpose of systematic actions. The other will be tuned to allow for very few false negatives in order to catch events that do not meet the more strict criteria to enable a system to take action in an automated fashion, which will be addressed through incident response actions.

Failure to Quantify Risk Against Critical Data Assets

Many organizations struggle to define Return on Investment for Information Security programs. You can quantify such a return, but in order to do so you must first quantify the risk against your critical data assets. The benefit side of the cost/benefit equation is determined by breaking down the risk treatment of an asset into acceptance, avoidance, and transference and then comparing the costs of executing those three strategies against that of mitigating any incidents to determine ROI. The organization can then analyze the amount of capital being spent on the mitigation strategy in order to define the Return on Investment.

Failure to Properly Staff the Program

Information Security talent is difficult to find. It is even more difficult to find security talent that is familiar with the specific discipline of Data Protection. As a result, organizations often understaff their programs and have poorly tuned policies as a result. This becomes a self-reinforcing problem as poorly tuned policies yield many more events than policies that are properly tuned and require more effort to sift through the False Positives to get to the incidents that matter. As a result, many failing programs are characterized by hundreds of thousands of events that are not triaged, missing real business issues that should be addressed.

Many successful programs are turning towards Managed Security Services Providers (MSSPs),like InteliSecure, who focus on Information Security programs to assist in the operation of a program to ensure all events are triaged in a timely manner in order to enable incidents to be responded to properly.

Failure to Tune Properly

Improper policy tuning in Data Loss Prevention programs is often a result of the failure to set long term objectives with respect to Critical Data Assets. However, even when those goals are properly set, organizations can struggle with the ability to tune DLP policies because the skill sets required to do so are relatively unique. Data Loss Prevention policy tuning is equal parts art and science, and the people performing the tuning must have the business acumen to interface with business stakeholders in order to ensure accurate tuning. The people I have just described are roughly as rare as a unicorn, and in today’s market for cybersecurity talent, if you could find a single person with all of these attributes, they would likely be prohibitively expensive to hire. More often, there are several people involved in policy tuning efforts, which also significantly drives up costs for internal staffing programs. This is another reason why many successful Data Loss Prevention programs leverage Managed Security Services Providers.

Failure to Review the Program on a Frequency

Information Security programs are as much about business as they are about security or technology. Since businesses evolve and change at an ever-increasing rate, the program must be built and operated in order to evolve with the business. In order to ensure the Information Security program remains aligned with the business, the program should be reviewed regularly. I generally recommend the governance group review the program and make changes as necessary on a quarterly cadence, and that the Critical Data Assets be re-evaluated on an annual basis.

Failure to Deploy Controls Across the Information Life Cycle

Many solutions are deployed as “Integrated DLP”, which is DLP as a feature of a different product. Common examples are integrated DLP as part of Microsoft Office 365, Integrated DLP as part of a Cloud Access Security Broker (CASB) technology, or Integrated DLP as part of a web gateway or firewall. The Integrated DLP approach generally means there are separate solutions and inconsistent rule sets, as well as responses across different channels such as email, network, web, CASB, endpoint, and Data at Rest (Storage). This inconsistency, or resultant programmatic gaps, often result in poor data protection and an exponentially higher cost of operating a program.

The ironic thing is that many organizations embark on the Integrated DLP journey in order to save money up front, but the increased cost of supporting several consoles for DLP and the time associated with manual correlation between systems quickly outpaces any up-front savings. Since the savings are one time and the increased costs continue in perpetuity, it quickly becomes a far more expensive solution that is far less effective. It is very similar to me saying that I will give you $400 today in exchange for you paying me $100 every month until you die. If you plan on living more than a few months, it really isn’t a good idea.

The reasons these systems are not effective is that the information needed to perform an investigation exists in several different databases without a credible way to correlate the information to establish patterns and risk profiles. As a result, many of the high impact incidents, which have a tendency to occur across multiple channels over a period of time, are missed and the overall value of the program is minimal.

Undefined or Inconsistent Incident Response

Many organizations are blissfully unaware of just how exposed they are before they put a Data Loss Prevention program in place. As a result, many don’t expect to find anything egregious and therefore do not invest the proper amount of time building a clear and consistent Incident Response process. I always hope that nothing egregious is going on, but in security we all must hope for the best while preparing for the worst. Failure to prepare for the potential of a major incident leads to an ineffective response.

Further, if the proper process isn’t well defined, incidents are often handled based more on relationships, politics, and power dynamics than they are based on the actual facts of the incident. Inconsistent response can lead to organizational risk exposure in a few ways. First, if incidents are improperly swept under the rug, the obvious risk is the organization may fail to respond to an impactful incident. Second, if incidents are not responded to consistently and action is taken on one user and not another, the organization may be exposed to litigation. It is far better to maintain and execute a clear and objective process from the outset of a program.

Conclusion

Many of the points mentioned above will also doom information security programs for firewalls, endpoints and intrusion prevention. For DLP, the failures mentioned highlight what I mentioned in my introduction; that DLP requires business alignment. Without this alignment, organizations will miss protecting the data that really matters – the critical data that significantly impacts their bottom line.

Read More

How Secure is Your Drone – An InteliSecure Skunk Works Post

Drones have become ubiquitous over the past few years. Many organizations are now using them to help with things such as search and rescue, geographic mapping, storm tracking and more. You can see and hear them flying around your neighbourhood, at sporting events, parks, etc. And if they happen to be hovering over your private property, you have probably, at some point, wished you could just shoot it out of the sky. While that sounds like fun, you probably also live somewhere where that isn’t allowed.

Drones do pose threats though, especially around airports where a collision with an aircraft could cause significant harm and loss of life.

AR Drone

On a personal level, I just wanted to get in on the fun, not only to have my own drone, but dig into the inner workings from a technological perspective. So, I went out and bought a Parrot AR drone to see what I could find.

One of the first things I noticed was the lack of security to access and control my new toy!  Basically, the drone hosts its own 2.4GHz Wi-Fi hotspot of sorts, with zero to hero authentication.  Now there are a few applications which can be installed on your iPad, iPhone, PC and Android which give a nice user interaction to control and fly drones, but I asked myself what else Could be accessed and decided to find out!

To begin, I used the ‘Aircrack-ng’ suite and leveraged ‘Airodump-ng’ to identify the AR drone extended service set identifier (ESSID):


wireless_convict@kali:~$ sudo airodump-ng -c 1 –bssid 90:03:xx:xx:xx:xx mon0
CH  1 ][ Elapsed: 4 s ][ 2015-12-20 22:54
BSSID      PWR RXQ  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
90:03:xx:xx:xx:xx -49  64  2719    3   1  54e. OPN   ardrone2_1031XX                    


That allowed me to see that the AR Drone was broadcasting on channel 1 with the ESSID of ardrone2_1031XX.  Knowing that, I then associated the drone with my attacking laptop…and with no authentication needed:


wireless_convict@kali:~$ sudo iwconfig wlan0
wlan0     IEEE 802.11abg  ESSID:
ardrone2_1031XX

Mode:Managed  Frequency:2.412 GHz  Access Point: 90:03:xx:xx:xx:xx
Bit Rate=54 Mb/s   Tx-Power=15 dBm
Retry short limit:7   RTS thr:off   Fragment thr:off
Encryption key:off***************** snipped *****************


At this point, I have been given an IP address from the DHCP pool. Our IP is 192.168.1.2 and we also learn at this point that the drone is on 192.168.1.1 by conducting a layer 2 Arp scan.


wireless_convict@kali:~$ sudo ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 00:1b:xx:xx:xx:xx
inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
wireless_convict@kali:~$ sudo arp-scan -l -I wlan0
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     90:03:xx:xx:xx:xx    PARROT


I then decided to see what services / protocols were running on the AR Drone.  We can do this by running an Nmap scan over the IP address.

By conducting a full TCP port scan 0-65535 ports we can see some interesting open ports, especially the ‘clear-text’ FTP and Telnet, take notice of the FTP anonymous login and bounce!


uid=0(root) gid=0(root)


We learn here that it’s a stripped down Linux box, but hey we have ‘Root’! All of this information in nice, but what could I do with it?

With the information made available to me, the next thing I tried was to kill the drone in mid-flight!  I ran the simulation as if someone else were flying the drone with me taking control of it and then disabling it, sending it to ground. To do so, I associated my iPhone running the ‘AR.FreeFlight’ app,  flew the drone approximately 3 feet above the ground, associated my attacking laptop, and then, connecting to TCP port 23 via netcat, issued the ‘poweroff’ command. In less than a second, the drone’s blades stopped abruptly and it crashed into the ground!


wireless_convict@kali:~$ nc 192.168.1.1 23
BusyBox v1.14.0 () built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
# poweroff
Poweroff


One other thing that is possible is to de-authenticate the current user and take control of the drone yourself!  This can be done with ‘Aireplay-ng’ and sending de-authenticating management frames! Lots of fun!


wireless_convict@kali:~$ sudo aireplay-ng -0 5 [Parrot MAC] [client MAC]


This command forces the client and drone to disconnect, allowing you to associate and take total ownership!

So in conclusion, if you see an AR drone flying around, you can be certain:

  • It sports an open auth Wi-Fi network;
  • You can access it via Telnet on port 23;
  • You can really confuse a drone’s owner off by issuing a stand-off attack sending it diving into the ground!

For better security the drone needs authentication and encryption. I will be looking into a WPA-supplicant and further protection of the drone with some kind of management authentication!

While the above exercise was done for fun, it did expose some serious flaws in personal drone security which could be exploited.

If anyone is interested in me covering some ‘Aircrack-ng’ blogs, drop me a line!

Drones have become ubiquitous over the past few years. Many organizations are now using them to help with things such as search and rescue, geographic mapping, storm tracking and more. You can see and hear them flying around your neighbourhood, at sporting events, parks, etc. And if they happen to be hovering over your private property, you have probably, at some point, wished you could just shoot it out of the sky. While that sounds like fun, you probably also live somewhere where that isn’t allowed.

Drones do pose threats though, especially around airports where a collision with an aircraft could cause significant harm and loss of life.

AR Drone

On a personal level, I just wanted to get in on the fun, not only to have my own drone, but dig into the inner workings from a technological perspective. So, I went out and bought a Parrot AR drone to see what I could find.

One of the first things I noticed was the lack of security to access and control my new toy!  Basically, the drone hosts its own 2.4GHz Wi-Fi hotspot of sorts, with zero to hero authentication.  Now there are a few applications which can be installed on your iPad, iPhone, PC and Android which give a nice user interaction to control and fly drones, but I asked myself what else Could be accessed and decided to find out!

To begin, I used the ‘Aircrack-ng’ suite and leveraged ‘Airodump-ng’ to identify the AR drone extended service set identifier (ESSID):


wireless_convict@kali:~$ sudo airodump-ng -c 1 –bssid 90:03:xx:xx:xx:xx mon0
CH  1 ][ Elapsed: 4 s ][ 2015-12-20 22:54
BSSID      PWR RXQ  Beacons #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
90:03:xx:xx:xx:xx -49  64  2719    3   1  54e. OPN   ardrone2_1031XX                    


That allowed me to see that the AR Drone was broadcasting on channel 1 with the ESSID of ardrone2_1031XX.  Knowing that, I then associated the drone with my attacking laptop…and with no authentication needed:


wireless_convict@kali:~$ sudo iwconfig wlan0
wlan0     IEEE 802.11abg  ESSID:
ardrone2_1031XX

Mode:Managed  Frequency:2.412 GHz  Access Point: 90:03:xx:xx:xx:xx
Bit Rate=54 Mb/s   Tx-Power=15 dBm
Retry short limit:7   RTS thr:off   Fragment thr:off
Encryption key:off***************** snipped *****************


At this point, I have been given an IP address from the DHCP pool. Our IP is 192.168.1.2 and we also learn at this point that the drone is on 192.168.1.1 by conducting a layer 2 Arp scan.


wireless_convict@kali:~$ sudo ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 00:1b:xx:xx:xx:xx
inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
wireless_convict@kali:~$ sudo arp-scan -l -I wlan0
Interface: wlan0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.1.1     90:03:xx:xx:xx:xx    PARROT


I then decided to see what services / protocols were running on the AR Drone.  We can do this by running an Nmap scan over the IP address.

By conducting a full TCP port scan 0-65535 ports we can see some interesting open ports, especially the ‘clear-text’ FTP and Telnet, take notice of the FTP anonymous login and bounce!


uid=0(root) gid=0(root)


We learn here that it’s a stripped down Linux box, but hey we have ‘Root’! All of this information in nice, but what could I do with it?

With the information made available to me, the next thing I tried was to kill the drone in mid-flight!  I ran the simulation as if someone else were flying the drone with me taking control of it and then disabling it, sending it to ground. To do so, I associated my iPhone running the ‘AR.FreeFlight’ app,  flew the drone approximately 3 feet above the ground, associated my attacking laptop, and then, connecting to TCP port 23 via netcat, issued the ‘poweroff’ command. In less than a second, the drone’s blades stopped abruptly and it crashed into the ground!


wireless_convict@kali:~$ nc 192.168.1.1 23
BusyBox v1.14.0 () built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
# poweroff
Poweroff


One other thing that is possible is to de-authenticate the current user and take control of the drone yourself!  This can be done with ‘Aireplay-ng’ and sending de-authenticating management frames! Lots of fun!


wireless_convict@kali:~$ sudo aireplay-ng -0 5 [Parrot MAC] [client MAC]


This command forces the client and drone to disconnect, allowing you to associate and take total ownership!

So in conclusion, if you see an AR drone flying around, you can be certain:

  • It sports an open auth Wi-Fi network;
  • You can access it via Telnet on port 23;
  • You can really confuse a drone’s owner off by issuing a stand-off attack sending it diving into the ground!

For better security the drone needs authentication and encryption. I will be looking into a WPA-supplicant and further protection of the drone with some kind of management authentication!

While the above exercise was done for fun, it did expose some serious flaws in personal drone security which could be exploited.

If anyone is interested in me covering some ‘Aircrack-ng’ blogs, drop me a line!

Read More

Insourcing vs. Outsourcing Security Resources

I was recently having coffee with a person that could best be described as a mentor, consultant and investor in me. During breakfast, he asked me a simple question that has been burning in my brain ever since. He said “You spend a lot of time educating people on how to build effective programs, but have you ever considered explaining to them why they may want you to run those programs for them rather than them running those programs themselves?” Sheepishly I must admit that the answer was “no”, but I am seeking to change that answer with this post.

A major initiative for me is to demystify cybersecurity. It’s not some nebulous concept that is difficult to understand, in fact, for almost every cyber security challenge, there is a corollary to everyday life. In this case, it is akin to deciding whether to do your own home improvement or to contract with a professional.

I have done a variety of work in my past and consider myself pretty handy and mechanically inclined, so I do a lot of work around the house myself, but there is other work that I contract out. For example, I have no interest in doing electrical or plumbing work because I don’t have the skill set, don’t have the tools, and have no desire to learn. There’s other work, like tree trimming, that I am perfectly capable of doing, but the tree trimming companies can do it much faster and have much better equipment. Essentially, I value my time on an hourly basis and compare what it would take for me to do the work vs. hiring someone else based on the value I place on my time. As I become more established in my career and earn more money, , my own time value goes up and the equation changes. There should be a similar evaluation for organizations.

There is a decision matrix I am using in my internal calculation. On one axis, the question is around expertise. Can I do this as well as a professional and do I care? Is it something where the quality of the work is very important to me, or is it something where I don’t care just as long as it’s done. In business there are things that fall into both categories as well. The other axis revolves around how much longer would it take me vs. a professional? A good example of this is when I bought my house. My wife and I wanted to change the paint throughout the house. We finished two bedrooms and a bathroom in two weekends working long hours. We hired professional painters who finished the rest of the house in a day. Although we paid them more per hour than we valued our own time, the professionals were far more efficient, so the outsourcing cost was favorable to the insourcing cost.

Much has been written about the cybersecurity skills gap and how difficult it is to find cybersecurity talent. While that gap is real, and it is big, you can find information about it in many different places. Regurgitating those statistics constitutes neither unique insight nor a good use of your time in reading my blog. My unique perspective, as someone who has dedicated a good portion of his career to providing outsourced services to organizations, is what advantages I have over an organization who wishes to staff internally. I will share those advantages with you.

It should be noted that when I speak of outsourcing, I am simply speaking about whether or not the resources performing the work are on an organization’s payroll.

Expertise

Cybersecurity professionals are in short supply and consequently they experience salary growth at a higher rate than many other professions. That hurts organizations who would like to staff internally in two ways. First, cybersecurity professionals can often meet their salary requirements in a variety of roles for a variety of organizations. This means that they’re likely to find opportunities that give them maximum growth opportunity. No matter how good your company is at what you do, if what you do isn’t closely related to cybersecurity, working for InteliSecure looks better on a resume than working for your organization. Second, those people are more valuable to an MSSP like InteliSecure, because we can apply their expertise to a variety of clients, where you can only focus them on a single environment. Therefore paying them at market rate makes a lot of business sense for me, while it may be a budgetary stretch for you.

Additionally, the cybersecurity skills gap is so large that prestige tends to matter more than money, since these people can generally command the salaries they want from a variety of employers. As one Bay Area law firm told me “I’m a law firm in Silicon Valley. Even if I pay double the market rate, what high end cybersecurity professional wants to work for a law firm when they can go down the street and work for Apple, Tesla, or Google?”

Exposure

Exposure is closely related to expertise. I was successful in recruiting a very talented individual from a very prestigious company at a reasonable salary because of exposure. He told me “If I am responsible for one environment, no matter how large, how does that skill set growth compare to being exposed to hundreds of environments working for a Managed Security Services Provider?” The answer is it doesn’t, and many security professionals are moving to security providers in recognition of this fact.

Similar to professional athletes, cybersecurity professionals improve with practice, practical experience, and level of competition. Unlike athletes, their skills don’t diminish with age. They continue to grow from their first day on the job, until the day they retire. Every exposure makes them better. They get more exposure from a service provider which gives providers the advantage of not only recruiting better talent, but also growing talent at a faster rate.

Cost Basis

The majority of cybersecurity tasks by volume are low-level. High level and more valuable tasks can’t be done without the low level tasks being done first, so you can’t simply skip them. The truth is, low level tasks cost me less than they cost you.

Why? Because I can hire junior employees to complete those tasks due to a high enough volume to justify full time employees and a support structure of experts and leadership who allow me to sufficiently support junior employees to perform low level tasks well. Most organizations that are self-staffing their programs have only a handful of people that perform both complex and simple tasks, meaning they lack the flexibility in the program to drive low level tasks to low cost employees. Often, they don’t have the support structure necessary to have low cost employees at all, which means low level tasks are completed by high cost resources. Worse, since those low level tasks are often prerequisites to completing the high value and high impact work, those high cost resources often spend the majority of their time doing low level tasks. Outsourcing the low level tasks to a third party is a good strategy to focus highly skilled resources on high value work. It also makes high value tasks much more likely to be completed, increasing the value of the security program.

Contract Terms

Every business faces disruption from time to time. When those things happen, many times people are laid off. If you are internally staffed for security, it’s easy for the business to ask you to do more with less and cut headcount in your department. You may or may not get that headcount back when the financial outlook of the company improves.

When you outsource at least a portion of your security program, there is likely a contract that cannot be broken without penalty, which means cost cutting forces must look elsewhere when things get tight from a budgetary perspective. In the eyes of the business there is a big difference between having your spending be locked in and contractually obligated and having your spending be an uncommitted ongoing operational expense.

Documentation

In order for a Managed Security Service to work well, it must be thoroughly documented. The Managed Security Services Provider must be able to share information between team members and also prepare information for you, as the client, to approve. Internal programs are not likely to be documented nearly as thoroughly, which often means if a key team member were to leave, the result would be a security program that would take several steps backward. With the volume of opportunities available to cybersecurity professionals and the generational comfort with millennials to frequently switching organizations, the lack of documentation can result in great difficulty in maturing a program.

Continuity

Related to documentation, continuity is very important to a security program. Simply put, scale breeds continuity. It is not that I don’t face similar generational and opportunity factors that make retention difficult as a service provider, I certainly do. However, if you have 3 full time security people and one leaves, you lost 33% of your program. It would take an MSSP losing substantially more employees to experience even a fraction of the same continuity impact. Turnover is a fact of life. Unless you plan on having a very large cybersecurity staff, turnover will inescapably breed continuity problems that hinder your efficacy.

Conclusion

Insourcing vs. outsourcing in IT and cybersecurity is a dilemma many organizations face. Like many other business dilemmas that seem to be addressing abstract concepts, drawing a correlation to everyday life is helpful. Evaluating the ability of your internal staff vs. external staff requires a cost and efficacy analysis. However, that analysis is not unlike the analysis a homeowner performs when deciding whether to finish their own basement or hire a contractor.

I was recently having coffee with a person that could best be described as a mentor, consultant and investor in me. During breakfast, he asked me a simple question that has been burning in my brain ever since. He said “You spend a lot of time educating people on how to build effective programs, but have you ever considered explaining to them why they may want you to run those programs for them rather than them running those programs themselves?” Sheepishly I must admit that the answer was “no”, but I am seeking to change that answer with this post.

A major initiative for me is to demystify cybersecurity. It’s not some nebulous concept that is difficult to understand, in fact, for almost every cyber security challenge, there is a corollary to everyday life. In this case, it is akin to deciding whether to do your own home improvement or to contract with a professional.

I have done a variety of work in my past and consider myself pretty handy and mechanically inclined, so I do a lot of work around the house myself, but there is other work that I contract out. For example, I have no interest in doing electrical or plumbing work because I don’t have the skill set, don’t have the tools, and have no desire to learn. There’s other work, like tree trimming, that I am perfectly capable of doing, but the tree trimming companies can do it much faster and have much better equipment. Essentially, I value my time on an hourly basis and compare what it would take for me to do the work vs. hiring someone else based on the value I place on my time. As I become more established in my career and earn more money, , my own time value goes up and the equation changes. There should be a similar evaluation for organizations.

There is a decision matrix I am using in my internal calculation. On one axis, the question is around expertise. Can I do this as well as a professional and do I care? Is it something where the quality of the work is very important to me, or is it something where I don’t care just as long as it’s done. In business there are things that fall into both categories as well. The other axis revolves around how much longer would it take me vs. a professional? A good example of this is when I bought my house. My wife and I wanted to change the paint throughout the house. We finished two bedrooms and a bathroom in two weekends working long hours. We hired professional painters who finished the rest of the house in a day. Although we paid them more per hour than we valued our own time, the professionals were far more efficient, so the outsourcing cost was favorable to the insourcing cost.

Much has been written about the cybersecurity skills gap and how difficult it is to find cybersecurity talent. While that gap is real, and it is big, you can find information about it in many different places. Regurgitating those statistics constitutes neither unique insight nor a good use of your time in reading my blog. My unique perspective, as someone who has dedicated a good portion of his career to providing outsourced services to organizations, is what advantages I have over an organization who wishes to staff internally. I will share those advantages with you.

It should be noted that when I speak of outsourcing, I am simply speaking about whether or not the resources performing the work are on an organization’s payroll.

Expertise

Cybersecurity professionals are in short supply and consequently they experience salary growth at a higher rate than many other professions. That hurts organizations who would like to staff internally in two ways. First, cybersecurity professionals can often meet their salary requirements in a variety of roles for a variety of organizations. This means that they’re likely to find opportunities that give them maximum growth opportunity. No matter how good your company is at what you do, if what you do isn’t closely related to cybersecurity, working for InteliSecure looks better on a resume than working for your organization. Second, those people are more valuable to an MSSP like InteliSecure, because we can apply their expertise to a variety of clients, where you can only focus them on a single environment. Therefore paying them at market rate makes a lot of business sense for me, while it may be a budgetary stretch for you.

Additionally, the cybersecurity skills gap is so large that prestige tends to matter more than money, since these people can generally command the salaries they want from a variety of employers. As one Bay Area law firm told me “I’m a law firm in Silicon Valley. Even if I pay double the market rate, what high end cybersecurity professional wants to work for a law firm when they can go down the street and work for Apple, Tesla, or Google?”

Exposure

Exposure is closely related to expertise. I was successful in recruiting a very talented individual from a very prestigious company at a reasonable salary because of exposure. He told me “If I am responsible for one environment, no matter how large, how does that skill set growth compare to being exposed to hundreds of environments working for a Managed Security Services Provider?” The answer is it doesn’t, and many security professionals are moving to security providers in recognition of this fact.

Similar to professional athletes, cybersecurity professionals improve with practice, practical experience, and level of competition. Unlike athletes, their skills don’t diminish with age. They continue to grow from their first day on the job, until the day they retire. Every exposure makes them better. They get more exposure from a service provider which gives providers the advantage of not only recruiting better talent, but also growing talent at a faster rate.

Cost Basis

The majority of cybersecurity tasks by volume are low-level. High level and more valuable tasks can’t be done without the low level tasks being done first, so you can’t simply skip them. The truth is, low level tasks cost me less than they cost you.

Why? Because I can hire junior employees to complete those tasks due to a high enough volume to justify full time employees and a support structure of experts and leadership who allow me to sufficiently support junior employees to perform low level tasks well. Most organizations that are self-staffing their programs have only a handful of people that perform both complex and simple tasks, meaning they lack the flexibility in the program to drive low level tasks to low cost employees. Often, they don’t have the support structure necessary to have low cost employees at all, which means low level tasks are completed by high cost resources. Worse, since those low level tasks are often prerequisites to completing the high value and high impact work, those high cost resources often spend the majority of their time doing low level tasks. Outsourcing the low level tasks to a third party is a good strategy to focus highly skilled resources on high value work. It also makes high value tasks much more likely to be completed, increasing the value of the security program.

Contract Terms

Every business faces disruption from time to time. When those things happen, many times people are laid off. If you are internally staffed for security, it’s easy for the business to ask you to do more with less and cut headcount in your department. You may or may not get that headcount back when the financial outlook of the company improves.

When you outsource at least a portion of your security program, there is likely a contract that cannot be broken without penalty, which means cost cutting forces must look elsewhere when things get tight from a budgetary perspective. In the eyes of the business there is a big difference between having your spending be locked in and contractually obligated and having your spending be an uncommitted ongoing operational expense.

Documentation

In order for a Managed Security Service to work well, it must be thoroughly documented. The Managed Security Services Provider must be able to share information between team members and also prepare information for you, as the client, to approve. Internal programs are not likely to be documented nearly as thoroughly, which often means if a key team member were to leave, the result would be a security program that would take several steps backward. With the volume of opportunities available to cybersecurity professionals and the generational comfort with millennials to frequently switching organizations, the lack of documentation can result in great difficulty in maturing a program.

Continuity

Related to documentation, continuity is very important to a security program. Simply put, scale breeds continuity. It is not that I don’t face similar generational and opportunity factors that make retention difficult as a service provider, I certainly do. However, if you have 3 full time security people and one leaves, you lost 33% of your program. It would take an MSSP losing substantially more employees to experience even a fraction of the same continuity impact. Turnover is a fact of life. Unless you plan on having a very large cybersecurity staff, turnover will inescapably breed continuity problems that hinder your efficacy.

Conclusion

Insourcing vs. outsourcing in IT and cybersecurity is a dilemma many organizations face. Like many other business dilemmas that seem to be addressing abstract concepts, drawing a correlation to everyday life is helpful. Evaluating the ability of your internal staff vs. external staff requires a cost and efficacy analysis. However, that analysis is not unlike the analysis a homeowner performs when deciding whether to finish their own basement or hire a contractor.

Read More

Lessons Learned from the WannaCry Ransomware Outbreak

On Friday May 12, 2017 news broke of a widespread ransomware outbreak known as “WannaCry” or several similar variations of similar names. Much has been written about the outbreak itself related to the apparent origins being rooted in the confluence of vulnerabilities stockpiled by the United States’ National Security Administration (NSA), which were stolen and linked by the “Shadow Brokers” organization, and hacking tools developed by the Central Intelligence Agency (CIA) that were subsequently published online by WikiLeaks. The overall outbreak has led to much finger pointing between governments and technology vendors, and in my opinion, there is plenty of responsibility to go around in this instance.

However, there is a broader story associated with this outbreak which I believe is the first of many to come as a result of cyber weapons being stolen and made available in a public forum. It also highlights a few key issues that need to be addressed. First, much of the damage could have been limited had organizations implemented decades old best practices such as Concept of Least Privilege. Second, the incident boldly highlights a need for the global community to come together to establish norms for proper behavior in the digitally connected world. Cybercrime is a truly global issue which doesn’t respect borders. The Internet by design is borderless. Therefore, having different rules, regulations and law enforcement entities in each country to police this global network will always be challenged. As I will highlight throughout this blog, this is an issue I wrote about in my book Building a Comprehensive IT Security Program, published in 2016.

A Fundamentally Different Crime

In many ways, cybercrime is nothing new. As long as human history has existed, there were those who would steal from others to enrich themselves. However, there is a major difference now, which I referenced in my book.

“The business of crime has become much less onerous and dangerous in its latest evolution. There was a time when criminals had to go where the assets they wanted to steal were located and risk immediate arrest, death, or dismemberment in the course of their crime. Modern criminals can attempt to rob thousands of banks while wearing pajamas and sipping coffee in the comfort of their own home.”  -Building a Comprehensive IT Security Program 2016

This does not mean the motivation has changed. Ransomware attacks bear much resemblance to kidnap and ransom crimes that we have known for centuries. However, it would be difficult to gain a ransom from thousands of companies or individuals before the Internet existed.

Further, proximity is no longer necessary in order to commit a crime, individuals can attack others anywhere in the world from anywhere in the world. By removing the need for proximity, bad people can target innocents anywhere. As a result, as long as you are online, you are not safe. You cannot simply move to a different neighborhood, state, or country in order to be protected.

Global Cooperation

In their recent blog Microsoft stated:

“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

There is much legitimate debate about what governments should or should not be able to develop with respect to cyber weapons in the interest of national security. Regardless of whether you are inclined to agree with Microsoft or you side with governments seeking to protect their ability to develop offensive weapons in cyberspace, there is a need for the global community to come together and negotiate norms and enforcement mechanisms to govern online behavior. Even if governments are not precluded from developing and stockpiling these weapons, there is no doubt that governments have a responsibility to protect weapons they develop, either cyberweapons or traditional ones, from falling into the wrong hands. Further, it is incumbent on the global community to devise ways to apprehend and punish those who would steal weapons of cyberwar and use them to inflict harm on innocents. We would not accept anyone stealing chemical or nuclear weapons and selling them to terrorists, and publishing hacking tools or zero day vulnerabilities online is no different.

In my book, I talked about the challenging nature of the global landscape as it relates to cyber crime.

“How can we work together to make the cyber world safer for all of its inhabitants? What types of things make sense for us to collaborate on and where do we draw the line? The answers to these questions will differ between individuals and companies and certainly between countries, regions, industries, and sectors. However, where common ground can be found, there is value in collaboration.”

The time to establish these norms is now. It will be difficult work and the mechanism to accomplish this is not clear. What is clear is having disparate laws governing artificially segregated portions of the Internet is not working. Perhaps this could be facilitated through the United Nations or some global cybercrime treaty, but it is time to establish these norms and build an effective mechanism to prevent these things from happening and to aggressively pursue and prosecute offenders when they do. A Digital Geneva Convention is not a bad idea. What will come out of it and what the rules will be is unclear to me at this time, but the time to start the global conversation is now.

Example: Enforcing GDPR

The European Union’s General Data Protection Regulation (GDPR) is the first regulation which attempts to reach beyond traditional jurisdictions in order to protect data belonging to European citizens wherever it exists. In May of 2018, when enforcement goes into effect, we are likely to quickly see the first attempt to enforce data protection regulations between countries, but how that will happen and how effective it will be still remains to be seen.

Let me give you an example. Today, my wife received a letter from a former employer informing us that their benefits provider had been compromised. They did not know who was affected or the scope of the breach, which tells me they did not have an effective Critical Asset Protection Program in place, but they did know W-2’s belonging to several employees, containing names, addresses, income information, health insurance information, and identifiers like Tax Identification Numbers (TIN) and Social Security Numbers (SSN) were stolen. My wife is not a European citizen, but some of the people she worked with certainly are. However, the breach happened in the United States. If this happened a year from now, to what extent could GDPR be enforced and penalties be levied against her former employer?

Regardless of the outcome of particular cases like these, this incident highlights the importance of a global treaty to govern data privacy as well as the proliferation of cyberweapons.

Protecting Yourself in a Dangerous World

In light of the recent outbreak, it is important to highlight some best practices that individuals and organizations should follow in order to protect themselves. As Microsoft rightly stated in the above referenced blog post, “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”

Many of these best practices are not new, but they are practical steps that those who are seeking a teachable moment from this news can leverage to harden their individual and organizational defenses.

Patching Vulnerable Systems

Microsoft is right. Regardless of what you think about the NSA and CIA leaks that made this attack possible, the vulnerability that allowed this ransomware to propagate was not a zero day exploit. A true zero day exploit refers to an exploit for which a patch does not exist. The patch for this vulnerability was released in March of 2017. The breadth of this outbreak proves that we are not diligent enough in patching our systems.

This is important. Every organization should be patching systems regularly and running frequent vulnerability scans to identify and patch vulnerable systems. As a community, we must demand that this relatively inexpensive process be an essential part of our security programs. If we’re warned that drinking a substance is dangerous and we drink it anyway resulting in an illness, who is to blame? This situation is no different. Not performing regular vulnerability scans is akin to drinking everything under your sink without reading the warning labels. You will get sick and possibly die. It’s simply a matter of time. Performing vulnerability scans and not patching vulnerable systems is akin to reading the warning label and drinking Drain-O anyway.

Concept of Least Privilege

WannaCry spreads through a known Microsoft vulnerability. I am not going to comment on the specific mechanism of how this spreads, but ransomware and worms both often reach out over the network to find all of the resources an infected machine has access to. Therefore, the Concept of Least Privilege is an important best practice to limit the impact of rogue software as much as it helps to limit the damage done by a single rogue insider.

Concept of Least Privilege essentially states that a user should only have access to the minimum amount of resources necessary to do their job. However, many users across many organizations have access to things they don’t need. In fact, many organizations give users Administrator or root level access when they don’t need it. This allows ransomware and worms to propagate easily throughout an environment and spread to a wide breadth of systems. Lateral movement is much more difficult for attackers when credentials are limited to necessary access privileges.

Clicking on Emails

It has been reported that the most recent outbreak is not caused by Phishing emails, or emails designed to trick a user into installing malicious software by clicking a link or opening an attachment. However, the vast majority of infections do spread that way. Now is a good time to remind all users to be very careful of anything they receive from an unknown stranger. This is very much like the “don’t take candy from strangers” best practice taught to children around the globe. If you don’t know the person giving you candy, don’t eat it. Also, if you don’t know the person sending you an email, don’t click it. We cannot say this to users enough.

Defense in Depth

Most organizations have a myriad of technologies deployed to protect their environment from infections. Endpoint protections like antivirus or next generation endpoint protection products are an important piece of the puzzle. So are Web Gateways and Email Gateways, which provide another layer of protection. However, none of these things are effective if they are not kept up to date, deployed universally and managed properly.

Backups

Ransomware is not going anywhere. Simply put, if you don’t not have multiple copies of your data stored in locations that are not connected to each other, you could lose it at any moment. While some advanced strains of ransomware lie dormant long enough to render backups useless, most do not. However, many organizations do not have frequent and comprehensive backups so the data that is not properly backed up is lost. Business Continuity and Disaster Recover planning as well as an overall Incident Response plan that includes procedures for responding to a ransomware outbreak is strongly recommended.

Conclusion

The recent outbreak, if nothing else, should serve as a reminder that we live in a dangerous world. Many people go about their daily lives on the Internet, surrounded by strangers around the globe, in a shockingly naïve way. Know that nothing shared online is completely private, and you cannot be too careful about who you interact with and how you interact with them. There have always been bad people in the world that mean you harm. However, while you are on the Internet, they are sitting next to you. Behave accordingly. Remain vigilant and protect yourselves, your organizations, your clients, and your communities. We truly are in this together.

On Friday May 12, 2017 news broke of a widespread ransomware outbreak known as “WannaCry” or several similar variations of similar names. Much has been written about the outbreak itself related to the apparent origins being rooted in the confluence of vulnerabilities stockpiled by the United States’ National Security Administration (NSA), which were stolen and linked by the “Shadow Brokers” organization, and hacking tools developed by the Central Intelligence Agency (CIA) that were subsequently published online by WikiLeaks. The overall outbreak has led to much finger pointing between governments and technology vendors, and in my opinion, there is plenty of responsibility to go around in this instance.

However, there is a broader story associated with this outbreak which I believe is the first of many to come as a result of cyber weapons being stolen and made available in a public forum. It also highlights a few key issues that need to be addressed. First, much of the damage could have been limited had organizations implemented decades old best practices such as Concept of Least Privilege. Second, the incident boldly highlights a need for the global community to come together to establish norms for proper behavior in the digitally connected world. Cybercrime is a truly global issue which doesn’t respect borders. The Internet by design is borderless. Therefore, having different rules, regulations and law enforcement entities in each country to police this global network will always be challenged. As I will highlight throughout this blog, this is an issue I wrote about in my book Building a Comprehensive IT Security Program, published in 2016.

A Fundamentally Different Crime

In many ways, cybercrime is nothing new. As long as human history has existed, there were those who would steal from others to enrich themselves. However, there is a major difference now, which I referenced in my book.

“The business of crime has become much less onerous and dangerous in its latest evolution. There was a time when criminals had to go where the assets they wanted to steal were located and risk immediate arrest, death, or dismemberment in the course of their crime. Modern criminals can attempt to rob thousands of banks while wearing pajamas and sipping coffee in the comfort of their own home.”  -Building a Comprehensive IT Security Program 2016

This does not mean the motivation has changed. Ransomware attacks bear much resemblance to kidnap and ransom crimes that we have known for centuries. However, it would be difficult to gain a ransom from thousands of companies or individuals before the Internet existed.

Further, proximity is no longer necessary in order to commit a crime, individuals can attack others anywhere in the world from anywhere in the world. By removing the need for proximity, bad people can target innocents anywhere. As a result, as long as you are online, you are not safe. You cannot simply move to a different neighborhood, state, or country in order to be protected.

Global Cooperation

In their recent blog Microsoft stated:

“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

There is much legitimate debate about what governments should or should not be able to develop with respect to cyber weapons in the interest of national security. Regardless of whether you are inclined to agree with Microsoft or you side with governments seeking to protect their ability to develop offensive weapons in cyberspace, there is a need for the global community to come together and negotiate norms and enforcement mechanisms to govern online behavior. Even if governments are not precluded from developing and stockpiling these weapons, there is no doubt that governments have a responsibility to protect weapons they develop, either cyberweapons or traditional ones, from falling into the wrong hands. Further, it is incumbent on the global community to devise ways to apprehend and punish those who would steal weapons of cyberwar and use them to inflict harm on innocents. We would not accept anyone stealing chemical or nuclear weapons and selling them to terrorists, and publishing hacking tools or zero day vulnerabilities online is no different.

In my book, I talked about the challenging nature of the global landscape as it relates to cyber crime.

“How can we work together to make the cyber world safer for all of its inhabitants? What types of things make sense for us to collaborate on and where do we draw the line? The answers to these questions will differ between individuals and companies and certainly between countries, regions, industries, and sectors. However, where common ground can be found, there is value in collaboration.”

The time to establish these norms is now. It will be difficult work and the mechanism to accomplish this is not clear. What is clear is having disparate laws governing artificially segregated portions of the Internet is not working. Perhaps this could be facilitated through the United Nations or some global cybercrime treaty, but it is time to establish these norms and build an effective mechanism to prevent these things from happening and to aggressively pursue and prosecute offenders when they do. A Digital Geneva Convention is not a bad idea. What will come out of it and what the rules will be is unclear to me at this time, but the time to start the global conversation is now.

Example: Enforcing GDPR

The European Union’s General Data Protection Regulation (GDPR) is the first regulation which attempts to reach beyond traditional jurisdictions in order to protect data belonging to European citizens wherever it exists. In May of 2018, when enforcement goes into effect, we are likely to quickly see the first attempt to enforce data protection regulations between countries, but how that will happen and how effective it will be still remains to be seen.

Let me give you an example. Today, my wife received a letter from a former employer informing us that their benefits provider had been compromised. They did not know who was affected or the scope of the breach, which tells me they did not have an effective Critical Asset Protection Program in place, but they did know W-2’s belonging to several employees, containing names, addresses, income information, health insurance information, and identifiers like Tax Identification Numbers (TIN) and Social Security Numbers (SSN) were stolen. My wife is not a European citizen, but some of the people she worked with certainly are. However, the breach happened in the United States. If this happened a year from now, to what extent could GDPR be enforced and penalties be levied against her former employer?

Regardless of the outcome of particular cases like these, this incident highlights the importance of a global treaty to govern data privacy as well as the proliferation of cyberweapons.

Protecting Yourself in a Dangerous World

In light of the recent outbreak, it is important to highlight some best practices that individuals and organizations should follow in order to protect themselves. As Microsoft rightly stated in the above referenced blog post, “this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”

Many of these best practices are not new, but they are practical steps that those who are seeking a teachable moment from this news can leverage to harden their individual and organizational defenses.

Patching Vulnerable Systems

Microsoft is right. Regardless of what you think about the NSA and CIA leaks that made this attack possible, the vulnerability that allowed this ransomware to propagate was not a zero day exploit. A true zero day exploit refers to an exploit for which a patch does not exist. The patch for this vulnerability was released in March of 2017. The breadth of this outbreak proves that we are not diligent enough in patching our systems.

This is important. Every organization should be patching systems regularly and running frequent vulnerability scans to identify and patch vulnerable systems. As a community, we must demand that this relatively inexpensive process be an essential part of our security programs. If we’re warned that drinking a substance is dangerous and we drink it anyway resulting in an illness, who is to blame? This situation is no different. Not performing regular vulnerability scans is akin to drinking everything under your sink without reading the warning labels. You will get sick and possibly die. It’s simply a matter of time. Performing vulnerability scans and not patching vulnerable systems is akin to reading the warning label and drinking Drain-O anyway.

Concept of Least Privilege

WannaCry spreads through a known Microsoft vulnerability. I am not going to comment on the specific mechanism of how this spreads, but ransomware and worms both often reach out over the network to find all of the resources an infected machine has access to. Therefore, the Concept of Least Privilege is an important best practice to limit the impact of rogue software as much as it helps to limit the damage done by a single rogue insider.

Concept of Least Privilege essentially states that a user should only have access to the minimum amount of resources necessary to do their job. However, many users across many organizations have access to things they don’t need. In fact, many organizations give users Administrator or root level access when they don’t need it. This allows ransomware and worms to propagate easily throughout an environment and spread to a wide breadth of systems. Lateral movement is much more difficult for attackers when credentials are limited to necessary access privileges.

Clicking on Emails

It has been reported that the most recent outbreak is not caused by Phishing emails, or emails designed to trick a user into installing malicious software by clicking a link or opening an attachment. However, the vast majority of infections do spread that way. Now is a good time to remind all users to be very careful of anything they receive from an unknown stranger. This is very much like the “don’t take candy from strangers” best practice taught to children around the globe. If you don’t know the person giving you candy, don’t eat it. Also, if you don’t know the person sending you an email, don’t click it. We cannot say this to users enough.

Defense in Depth

Most organizations have a myriad of technologies deployed to protect their environment from infections. Endpoint protections like antivirus or next generation endpoint protection products are an important piece of the puzzle. So are Web Gateways and Email Gateways, which provide another layer of protection. However, none of these things are effective if they are not kept up to date, deployed universally and managed properly.

Backups

Ransomware is not going anywhere. Simply put, if you don’t not have multiple copies of your data stored in locations that are not connected to each other, you could lose it at any moment. While some advanced strains of ransomware lie dormant long enough to render backups useless, most do not. However, many organizations do not have frequent and comprehensive backups so the data that is not properly backed up is lost. Business Continuity and Disaster Recover planning as well as an overall Incident Response plan that includes procedures for responding to a ransomware outbreak is strongly recommended.

Conclusion

The recent outbreak, if nothing else, should serve as a reminder that we live in a dangerous world. Many people go about their daily lives on the Internet, surrounded by strangers around the globe, in a shockingly naïve way. Know that nothing shared online is completely private, and you cannot be too careful about who you interact with and how you interact with them. There have always been bad people in the world that mean you harm. However, while you are on the Internet, they are sitting next to you. Behave accordingly. Remain vigilant and protect yourselves, your organizations, your clients, and your communities. We truly are in this together.

Read More

JOIN NEWSLETTER

Know What We're Up To!