Author Archives: Joerg Asma

About Joerg Asma

Security and Resilience are two of the most important critical issues for companies and organizations. Today, after numerous revealings on governments and companies spying on each other, there is almost no single topic as plenty in the headlines of international media than Security. Keeping the most important assets away from third parties and detect and respond to attacks on cyber networks, top management executives and company boundaries, is on the board agenda since years, though. For more than 15 years I am advising companies in assessing, setting up and advancing their cyber security and resilience frameworks. As Managing Director of Comma Management Consulting for Security, the security division of Comma Soft AG and previously as Senior Partner at KPMG Consulting, being in charge for the Information Protection & Business Resilience practice in EMEA I led a large number of client engagements in Fortune 500 as well as in SMEs. Advising clients, deep diving into their challenges and finding excellent solutions together with my team drives my daily business and is my absolute passion. All thoughts on this website are mine except those ones being linked to other websites.

My Top 5 Predictions for 2015

Posted on by
Reply

Predicting the future is almost impossible especially with such a fast evolving topic like cybersecurity. Nevertheless I’ll give it a try and share some of my thoughts with you.

I had a lot of chats with CIOs, CEOs and COOs as well as journalists talking about what we all see what our biggest fears are and what they and I expect to see in the near future.

Here are my thoughts about theTop 5 challenges our world will face in 2015. Just in case you would like to add something feel free to drop me a line and I will add your thoughts / comments promptly.

Top 1: Rent-A-Botnet
As we all saw in the past that botnets seem easy to rent (1.000 for some 100 USD down to 10 USD for an hour accesstime) the service quality is dramatically increasing while prices are decreasing. The service quality is key to the evolution of this market. When selling services to the “normal” world credentials are important. Selling services on the dark side means that delivering cybercrime services is only possible when having top credentials and a hard proof of delivery and 100% reliability. These requirements drive service quality enhancements that even lead to service desk support with your rented bot net, customization support and other services most people can hardly imagine when talking about a crime scene. We even see that targeted attacks lead to new customer creation efforts. An example is that DDoS targets sometimes receive blackmail eMails with 3 key messages:


1.      Pay the fee to avoid DDoS attacks leading to unavailability of your services

2.      Do not contact any cybersecurity specialist to defend your services because this will lead to a dramatical increase in bots attacking you

3.      Order your own botnet attack against attackers and you will receive a discount of 20-40%

Top 2: Industry 4.0
Industry 4.0 discussions very often end up in security concerns. On one hand companies fear that SCADA systems, PLCs and Industry devices could come under fire. This is a serious concern and it is very realistic when considering that a lot of industry devices are not hardened but connected to office networks having no virus scanners and very often being protected by firewalls having more communication exceptions than limitations.

Imagine that in combination with IP V6 internet structures become more stable and reliable and your refrigerator, lightbulb or industry roboter is infected and becomes part of a botnet or is in other ways involved in cybercriminal activities.

Top 3: Data Destruction
2014 ended up with a huge security incident at Sony pictures. We saw problems at Sony companies before like the PSN hack. Nevertheless the hack shows a new quality in cyberattacks. It became very common to hack companies and to leak information as a “proof of hack” to make the cybercriminal business plan work. During this hack we saw that users couldn’t use their workstations any more and data destruction seemed to be part of the game. Also in other security incidents we became aware of the fact that data loss is common but data manipulation and data destruction become even more serious and are on the rise.

Top 4: Supply Chain Security
In the past we already recognized the supply chain security seems to be important but the headlines have not been filled with stories about companies being attacked using supply chain connections. One of the most remarkable stories has been the virus problem on Predator and Reaper drones in 2011. Other hacks we saw in 2014 demonstrated that very often companies rely on their security measures like firewalls, awareness trainings, encryption and so forth. But as we all know is the strength of a chain determined by the weakest link which is very often a supplier. A “good” example is the “Target” breach where Fazio Mechanical, an air condition and heating maintenance company, was compromised. As we all know for various investigation reports on Targets incident the attack on their supplier seemed to be high sophisticated.

With research on this topic we see this threat on the rise and being more and more successful.

Top 5: Mobile Device Exploit Kits 
Years ago mobile devices have been pretty safe. But with the trend showing that mobile devices may replace notebooks and “thick clients” in general Exploit kit developers seem to start focussing on mobile device exploit kits. The mobile world seems to know several Operating Systems but in the end these are only 3 (IOS, Windows and Android). At least IOS shows only few variants – users keep their IOS up to date so that creating one exploit kit has a huge impact in the user community. Also with spyware for smartphones increasingly being thrown on the market a baseline software repository to duplicate calls, copy WhatsApp conversations as well as SMS messages is available. The step from “legal spyware” (in Germany it is not legal but in other jurisdictions its use is pretty common) to an exploit kit is pretty small.

Right now effective antivirus and other prevention software is hard to find and only few users even care about this problem leads to millions of vulnerable devices being in the focus of cybercriminals.

Security – A Misleading Concept?

Posted on by
Reply

Currently I am creating a presentation on cyber security as a competitive advantage. It looked like a simple task, but ….

When building a presentation I feel that the content should be meaningful. Starting to think about a good starting point, the fundamentals I need/want to transport and a good starting point i thought it would be a good idea to start with a definition of cyber security.

Defining both words, Cyber and Security I found a definition which is a little bit strange but it was taken from William Gibson’s Novel 1984:

„Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.“ 

Source for the artwork: http://hqwide.com/wallpapers/l/1920×1080/61/artwork_neuromancer_william_gibson_1920x1080_60671.jpg

Another one I found good and better suitable for business purposes was given by the university of maryland

The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Source: http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm

I believe this one has a better fit for purpose. Nevertheless it gives a limited view on security issues. Cyberspace is meant to be digitally. But what does that mean related to intellectual property that people have. Information written or printed on paper. Proof of concepts doming from a machine and so on. Short story: What is the representation of non digital Information? From what I found non digital information is not covered by the term “cyber”!

What is the better term to provide a holistic view on security?

To be honest: I didn’t find one. Information is written on paper, stored in brains, computers. Sometimes it is tangible, sometimes not. Sometimes it is related to buildings and other forms that might represent information or a value. The next question deriving from these thoughts:

Is there anything of value that is not related to information?

If you find something please tell me!

Security in general is meant to be a concept that implies protection from harm to any asset.

That is also the reason why we find numerous security functions in enterprises:

  • Corporate security
  • Facility security
  • Information security
  • IT security
  • Cyber Security
  • Data protection

When talking to clients about their security functions I very often hear that there is a wish to add new skills to the organization to cover new threats! When doing this organizations tend to look for reasonable compromises which are more likely to be trade offs. Usually existing structures are maintained (e.g. the IT Security Officer) and new functions like a Cyber Security Department is added to the organization with newly defined responsibilities and different reporting lines.

Looking at the cyber definition again the conflict is obvious! IT security deals with infrastructures. The information protection officer deals with information stored anywhere and the Cyber Security Defense Service feels extremely hip because it is something new, really important having excellent budget and sits on the territory of the CISO, IT SecOfficer and others.

I started to write down where security applies and found numbers of issues and security functions. Most of them have an overlap which I feel that it is ok.

Detection is the new Prevention

In another article I already presented my view on Detection versus Prevention. I believe Detection is key! A huge misunderstanding is that looking at the concept of security the spotlight is on prevention. This might be true but detection is the new prevention. In order to avoid harm to your organization you need to know your enemy and be prepared against almost everything that can happen. You will have to accept hackers to jump into your networks and you will need to be prepared to detect them and fix the damage asap.

What happens here: It is RESILIENCE!

Organizations need to be better prepared to fix security incidents no matter if they are related to buildings, employes, VIPs, IT infrastructure, paper based information etc.

When I came to this conclusion I felt that any security function in an organization is an important feature. It is preventive feature. It helps to detect issues. But recovery from incidents will be more important than we have ever believed.

I feel that a Business Resilience Function in any organization is the key to eliminate conflicts between different security functions and helps to align them to a powerful organization helping with prevention, detection and recovery!

What do you think? I do not know if I am right or wrong! I am really interested to read your views on this! Please share your thoughts with me and the rest of the community!

The link Between a Company’s Supervisory Board and its Security Strategy

Posted on by
Reply

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

  1. Time to detect a security incident caused by APTs or other high sophisticated techniques
  2. Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

  1. Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
  2. Is a reporting system in place to to indicate potential threats and suspicious activities?
  3. Does the enterprise have a stable detection system in place to uncover security incidents?
  4. Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
  5. Are security incidents adequately reflected in the board of management’s report on the business situation of the company?

Conclusion

In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

  1. Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
  2. Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

What is the bigger threat? Employees or hackers?

Posted on by
Reply

Years ago I read an FBI survey on security incidents and a root cause analysis. I didn’t find it again (if you have it – please send it to me) but I can still remember that it said something like almost 70% of security incidents have been caused by employees.

The last survey I found from the United States Secret Service named “2013 US State of Cybercrime Survey” says that only 21% of cybersecurity incidents have been caused by current and former employees (There is a summary availabe from PwC in the US that helps you to avoid reading all this stuff).

Nevertheless I found it really difficult to qualify these information and have a more solid foundation of sources that helps me to better understand and to better argue with my peers.

But as time went by and big data is not just a buzzword but real applications are available I found a website I desperately want to share with you. They analyzed hacks and other security incidents and built categories to classify these hacks.

The result is a really meaning- and beautiful visualization of security breaches and their sources. What strikes me is the possibility to slice and dice industries sources and size of the incident and get a visual presentation.

Bild

I believe that this is one of the most advanced ways to present these figures without leaving room for arguing if the numbers are correct or not. They are simply based on press releases!

My suggestion: Read it and play with it! Click on the graphics and you are forwarded to the website. Enjoy it!

Btw: They also disclose the source of information that leads to this fantastic visualization: Click me!

World’s Biggest Data Breaches & Hacks – Information Is Beautiful

Posted on by
Reply

See on Scoop.itGraphics from my #factsandfiguresday

Data visualization of the world biggest data breaches, leaks and hacks. Constantly updated. Powered by VizSweet.

Joerg Asma‘s insight:

I like the way information is presented. I am personally a very analog guy which is perfectly addressed here.

The titel "Information is Beautiful’ says it all! What’s your opinion? Tell me!

See on www.informationisbeautiful.net

Paradigm Shift in Information Protection: Moving from Prevention to Detection

Posted on by
Reply

Key Elements of Security

All of us (at least of the security specialists) believe that security consists of three key elements:

  1. Prevention
  2. Protection
  3. Response

Security Incidents: Externally vs. Internally Caused Incidents

Furthermore we all believed that most of  the security incidents, around 70% say an older FBI survey, have been caused by employees and at least people from the inside of an organisation without mentioning if these have been fraudulent activities or if these incidents had been caused by accident.

Now things have changed. I do not have an exact number from a survey but now a lot of people believe that the ratio is now 30% from inside and 70% from the outside.

What is the conclusion? Looking at this a lot of people believe that the reduction in the inside caused incidents are a result of better prevention and awareness campaign.

Looking at the information available on the internet we need to come to the conclusion that the absolut amount of security incidents from the inside are still the same while the number of externally caused security incidents increased dramatically.

Advanced Persistent Threats

The acronym APT was not used till 2005 but then created by the US government. I do not want to describe the nature of an APT in detail – that has been done often enough – but I would like to point out that it becomes more and more difficult to prevent your infrastructure from being penetrated. Due to the fact that APT result in slow and low intrusions it is also really difficult to detect them.

When it comes to an intrusion there are two key elements you can deal with:

  1. Time to Detection
  2. Mean Time to fix

The ultimate goal is to reduce both times to a minimum which means reducing your information leakage.

Conclusion

Let’s gather some facts I described in my posting:

  1. Threats from the outside (cyber threats) are increasing dramatically
  2. Intrusion Techniques evolve – APT is reality
  3. Prevention is not effective
  4. Detection is the only solution against APT

The only conclusion I can come to it that organization that want to achieve a reasonable “amount” of security need to focus on detection and shift their capabilities.

 You might want to walk trough the Prezi attached

Happy New Year

Posted on by
1

It is now approximately 10 months ago that I announced to relaunch my blog and restart writing about security. What I didn’t know at that time is that this year became my personal nightmare.

I lost my grandma and my brother in law. My grandma died at the age of 96 and my brother in law at the age of 46. This is something  you can’t prepare yourself! This knocks you out!

Driven by my brother in law’s sudden death I decided to change the way I live. Pay more attention for my family, get rid of the weight I gained in more than 11 years of KPMG. I started running again and lost already 14 kilos of my weight. Another 14 are to go now!

Another thing I will change is the place where I live. Something what came pretty quick was changing my working life. I am now not any more part of the KPMG partnership, and will start something new in the area of information protection during this year I am preparing myself for and I may tell you that it will be great!

These changes have been massive but it is a really good starting point for my “new” life. I got rid of all the add on roles that consumed a lot of power and time and I can now focus on people that matter to me and my profession again.

One of those things that helped me after these massive changes was that a big part of my physical and virtual social network supported my very intensively. That was great and gives my a lot of power and inspiration to go for my future projects:

Building my new house started last year and will hopefully finalized in 2014. I will think about certain aspects in security and take some time to write about them. Maybe I will start to write a book of my own (I already have something in my mind). I will continue working on the 4th edition of the cloud computing book together with Tobias and some others I now know for many years. Doing my first half marathon this year and hopefully my first marathon next year. Last but not least I will really relaunch my social media activities on facebook scoop.it and twitter.

One event that made me so positive is a speech that I heard given by Jim Lawless – Tame your Tiger (http://www.tamingtigers.com/ on FB: https://www.facebook.com/tamingtigers) . I heard it 3 or 4 years ago and it was a very important impulse in my private and business life. At that time I was not successful in changing my life. My tiger was too big! Jim gave us postcards and asked us to write down which is the tiger each of us wants to tame. My tiger was changing my working life! Now others “helped” me to tame this tiger and helped to make things come true I was not prepared for.

I hope that you now have a better understanding of the situation I was in for the last 10 months. But now it is time to look forward again going for a fantastic year 2014 with a lot new experiences, new people and environment.