Category Archives: Cybersecurity

My Top 5 Predictions for 2015

Posted on by
Reply

Predicting the future is almost impossible especially with such a fast evolving topic like cybersecurity. Nevertheless I’ll give it a try and share some of my thoughts with you.

I had a lot of chats with CIOs, CEOs and COOs as well as journalists talking about what we all see what our biggest fears are and what they and I expect to see in the near future.

Here are my thoughts about theTop 5 challenges our world will face in 2015. Just in case you would like to add something feel free to drop me a line and I will add your thoughts / comments promptly.

Top 1: Rent-A-Botnet
As we all saw in the past that botnets seem easy to rent (1.000 for some 100 USD down to 10 USD for an hour accesstime) the service quality is dramatically increasing while prices are decreasing. The service quality is key to the evolution of this market. When selling services to the “normal” world credentials are important. Selling services on the dark side means that delivering cybercrime services is only possible when having top credentials and a hard proof of delivery and 100% reliability. These requirements drive service quality enhancements that even lead to service desk support with your rented bot net, customization support and other services most people can hardly imagine when talking about a crime scene. We even see that targeted attacks lead to new customer creation efforts. An example is that DDoS targets sometimes receive blackmail eMails with 3 key messages:


1.      Pay the fee to avoid DDoS attacks leading to unavailability of your services

2.      Do not contact any cybersecurity specialist to defend your services because this will lead to a dramatical increase in bots attacking you

3.      Order your own botnet attack against attackers and you will receive a discount of 20-40%

Top 2: Industry 4.0
Industry 4.0 discussions very often end up in security concerns. On one hand companies fear that SCADA systems, PLCs and Industry devices could come under fire. This is a serious concern and it is very realistic when considering that a lot of industry devices are not hardened but connected to office networks having no virus scanners and very often being protected by firewalls having more communication exceptions than limitations.

Imagine that in combination with IP V6 internet structures become more stable and reliable and your refrigerator, lightbulb or industry roboter is infected and becomes part of a botnet or is in other ways involved in cybercriminal activities.

Top 3: Data Destruction
2014 ended up with a huge security incident at Sony pictures. We saw problems at Sony companies before like the PSN hack. Nevertheless the hack shows a new quality in cyberattacks. It became very common to hack companies and to leak information as a “proof of hack” to make the cybercriminal business plan work. During this hack we saw that users couldn’t use their workstations any more and data destruction seemed to be part of the game. Also in other security incidents we became aware of the fact that data loss is common but data manipulation and data destruction become even more serious and are on the rise.

Top 4: Supply Chain Security
In the past we already recognized the supply chain security seems to be important but the headlines have not been filled with stories about companies being attacked using supply chain connections. One of the most remarkable stories has been the virus problem on Predator and Reaper drones in 2011. Other hacks we saw in 2014 demonstrated that very often companies rely on their security measures like firewalls, awareness trainings, encryption and so forth. But as we all know is the strength of a chain determined by the weakest link which is very often a supplier. A “good” example is the “Target” breach where Fazio Mechanical, an air condition and heating maintenance company, was compromised. As we all know for various investigation reports on Targets incident the attack on their supplier seemed to be high sophisticated.

With research on this topic we see this threat on the rise and being more and more successful.

Top 5: Mobile Device Exploit Kits 
Years ago mobile devices have been pretty safe. But with the trend showing that mobile devices may replace notebooks and “thick clients” in general Exploit kit developers seem to start focussing on mobile device exploit kits. The mobile world seems to know several Operating Systems but in the end these are only 3 (IOS, Windows and Android). At least IOS shows only few variants – users keep their IOS up to date so that creating one exploit kit has a huge impact in the user community. Also with spyware for smartphones increasingly being thrown on the market a baseline software repository to duplicate calls, copy WhatsApp conversations as well as SMS messages is available. The step from “legal spyware” (in Germany it is not legal but in other jurisdictions its use is pretty common) to an exploit kit is pretty small.

Right now effective antivirus and other prevention software is hard to find and only few users even care about this problem leads to millions of vulnerable devices being in the focus of cybercriminals.

Security – A Misleading Concept?

Posted on by
Reply

Currently I am creating a presentation on cyber security as a competitive advantage. It looked like a simple task, but ….

When building a presentation I feel that the content should be meaningful. Starting to think about a good starting point, the fundamentals I need/want to transport and a good starting point i thought it would be a good idea to start with a definition of cyber security.

Defining both words, Cyber and Security I found a definition which is a little bit strange but it was taken from William Gibson’s Novel 1984:

„Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.“ 

Source for the artwork: http://hqwide.com/wallpapers/l/1920×1080/61/artwork_neuromancer_william_gibson_1920x1080_60671.jpg

Another one I found good and better suitable for business purposes was given by the university of maryland

The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Source: http://www.umuc.edu/cybersecurity/about/cybersecurity-basics.cfm

I believe this one has a better fit for purpose. Nevertheless it gives a limited view on security issues. Cyberspace is meant to be digitally. But what does that mean related to intellectual property that people have. Information written or printed on paper. Proof of concepts doming from a machine and so on. Short story: What is the representation of non digital Information? From what I found non digital information is not covered by the term “cyber”!

What is the better term to provide a holistic view on security?

To be honest: I didn’t find one. Information is written on paper, stored in brains, computers. Sometimes it is tangible, sometimes not. Sometimes it is related to buildings and other forms that might represent information or a value. The next question deriving from these thoughts:

Is there anything of value that is not related to information?

If you find something please tell me!

Security in general is meant to be a concept that implies protection from harm to any asset.

That is also the reason why we find numerous security functions in enterprises:

  • Corporate security
  • Facility security
  • Information security
  • IT security
  • Cyber Security
  • Data protection

When talking to clients about their security functions I very often hear that there is a wish to add new skills to the organization to cover new threats! When doing this organizations tend to look for reasonable compromises which are more likely to be trade offs. Usually existing structures are maintained (e.g. the IT Security Officer) and new functions like a Cyber Security Department is added to the organization with newly defined responsibilities and different reporting lines.

Looking at the cyber definition again the conflict is obvious! IT security deals with infrastructures. The information protection officer deals with information stored anywhere and the Cyber Security Defense Service feels extremely hip because it is something new, really important having excellent budget and sits on the territory of the CISO, IT SecOfficer and others.

I started to write down where security applies and found numbers of issues and security functions. Most of them have an overlap which I feel that it is ok.

Detection is the new Prevention

In another article I already presented my view on Detection versus Prevention. I believe Detection is key! A huge misunderstanding is that looking at the concept of security the spotlight is on prevention. This might be true but detection is the new prevention. In order to avoid harm to your organization you need to know your enemy and be prepared against almost everything that can happen. You will have to accept hackers to jump into your networks and you will need to be prepared to detect them and fix the damage asap.

What happens here: It is RESILIENCE!

Organizations need to be better prepared to fix security incidents no matter if they are related to buildings, employes, VIPs, IT infrastructure, paper based information etc.

When I came to this conclusion I felt that any security function in an organization is an important feature. It is preventive feature. It helps to detect issues. But recovery from incidents will be more important than we have ever believed.

I feel that a Business Resilience Function in any organization is the key to eliminate conflicts between different security functions and helps to align them to a powerful organization helping with prevention, detection and recovery!

What do you think? I do not know if I am right or wrong! I am really interested to read your views on this! Please share your thoughts with me and the rest of the community!

The link Between a Company’s Supervisory Board and its Security Strategy

Posted on by
Reply

Companies Need New Security Strategies

With regard to cloud computing, Bring Your Own Device (BYOD) or Social Networks companies have to think about their security strategy. Whereas the principle of prevention was effective for a long time it is not effective any more. Having a huge number of mobile devices in place, using various storage systems within the enterprise or outside and the demand for flexible and fast collaboration with clients, partners and suppliers nobody is able to predict where a certain piece of data is right now, how often it has been copied or will be tomorrow.
It is just a fact that business critical information does not reside within the perimeters of the enterprise any more.
Given this fact a company can protect its perimeters with huge efforts and be almost save, a weak system outside the enterprise like a social network or a pubic cloud system destroys all efforts of protecting the assets by preventing intrusion in the own infrastructure. The enterprises are simply not in control of prevention system any more.
Another challenge is the complexity of of attacks against enterprise infrastructures. Nowadays more often zero day exploits and strongly customized malicious code is being used, applying advanced persistent threat techniques which leads to the situation that most of the high sophisticated attacks are not recognized by any prevention system like antivirus, intrusion detection / prevention system or firewalls.
These attacks are simply below the radar screen of the traditional security systems.

What are the new Security Strategies to be applied better today than tomorrow?

The prevention of the future is detection! What does that mean? This means that enterprises have to improve their ability to register anomalies in the data flows leading to a more reliable and faster detection of security incidents. There are two main areas of improvement:

  1. Time to detect a security incident caused by APTs or other high sophisticated techniques
  2. Time to fix the issue

Especially the time to detects requires companies to have intense monitoring capabilities in place to ensure reliable detection. By building these capabilities not only the requirements of companies are in scope but also the personal rights of employees are affected. A company going this way will need to have trust within their working councils and from my perspective it is even better to integrate the employees to build trust that these facilities are not only a requirement to secure the enterprise but also the individual.

Any requirement for the supervisory board?

With respect to the supervisory boards requirements to monitor and give advise to C-Levels, a few questions have to be clarified:

  1. Does the internal control system of the enterprise reduce the risk of exposure of employees and management against threats from the outside (e.G. Use of eMail, websites, unknown documents)?
  2. Is a reporting system in place to to indicate potential threats and suspicious activities?
  3. Does the enterprise have a stable detection system in place to uncover security incidents?
  4. Did the company test the effectiveness of detection techniques and includes the results in a continuous improvement process?
  5. Are security incidents adequately reflected in the board of management’s report on the business situation of the company?

Conclusion

In the end this means that companies have numerous options in place to improve security, deal with liabilities of board members and the supervisory board and drive efficient security measures.

I would suggest to keep an eye on two work streams:

  1. Switch of non effective security measures that simply address prevention – Just talk to me and I will assist you to go this way based on a success fee.
  2. Establish a process too ensure that materiality and severity of security incidents becomes transparent to board members and their supervisory boards to ensure conformity to financial reporting standards.

Just in case that you do not believe that security is to be reflected in the financial reporting you should read the Corporate Finance Disclosure Guidance No. 2: Cybersecurity issued by the SEC. You might also want to use Google to find out who was already addressed by the Regulators of the US to have not properly addressed this issue!

What is the bigger threat? Employees or hackers?

Posted on by
Reply

Years ago I read an FBI survey on security incidents and a root cause analysis. I didn’t find it again (if you have it – please send it to me) but I can still remember that it said something like almost 70% of security incidents have been caused by employees.

The last survey I found from the United States Secret Service named “2013 US State of Cybercrime Survey” says that only 21% of cybersecurity incidents have been caused by current and former employees (There is a summary availabe from PwC in the US that helps you to avoid reading all this stuff).

Nevertheless I found it really difficult to qualify these information and have a more solid foundation of sources that helps me to better understand and to better argue with my peers.

But as time went by and big data is not just a buzzword but real applications are available I found a website I desperately want to share with you. They analyzed hacks and other security incidents and built categories to classify these hacks.

The result is a really meaning- and beautiful visualization of security breaches and their sources. What strikes me is the possibility to slice and dice industries sources and size of the incident and get a visual presentation.

Bild

I believe that this is one of the most advanced ways to present these figures without leaving room for arguing if the numbers are correct or not. They are simply based on press releases!

My suggestion: Read it and play with it! Click on the graphics and you are forwarded to the website. Enjoy it!

Btw: They also disclose the source of information that leads to this fantastic visualization: Click me!

Social Media – C-Levels Tricked and Trapped

Posted on by
3

During various conversations at the dmexco 2012 in cologne I realized that Social Media Risk Management already hit the boardroom but almost nobody is aware of it. So was I!

The reason why I believe that social media already reached the boardroom is so simple and so complex at the same time.

Almost everybody knows that you need to be active on social media. As social networks and social media is constantly gaining more and more power it is the ultimate source to solve a couple of challenges companies and their C-Levels experience:

Marketing Efficiency

Who wants to spend millions for marketing campaigns some really enthusiastic and creative brains build without giving you the tools to find out how effective your campaign is.

War for Talents

New employees are the lifeblood of every professional services firm. Attracting the right people and retaining them is key. But how do you do that? Go social! Young people leaving university and school have an incredibly huge social media competence and define themselves different than people like I did at their age. During interviews with potential candidates for our firm I had to realize that the questions I am asked are different than 10 years ago. People ask for BYOD, Smartphones, Work Life Balance Concepts, Mobility Concepts and much more. Most of the time they already used social media to inform themselves about my company. They even do not use our website, but they use facebook and twitter. So going social is not optional! It’s mandatory and therefore it’s a boardroom issue. The C-Suite usually approves this “HR stuff”.

CRM

Is customer relationship management an application to plugin to you ERP system or buy a monumental application that stores all your client data. I believe we will see distributed CRM systems in the future. These are the Facebook profiles, twitter lists and Xing / linked in groups which are the data marts for future CRM systems. Right now most of the professional people, being active on social networks, maintain not only private but also business contact lists and support sales and delivery through these channels. It became more viral than most of the non social networking C-Levels believe. In the end it means that you need to rely on those people acting in social networks and facilitate sales and generate leeds. In most of the companies (especially the professional services firms)  this is done unintentionally and the leaderships are overwhelmed by the “new” opportunities that arise.

What is the conclusion

You might ask yourself or me why a blogger about security and risk management writes something about CRM and war for talents and what this has to do with Social Media Risk Management.

As I already said it is simple but also complex. Everybody accepts that social media is in important factor in people’s life and business matters. We design campaigns for our businesses.  We sometime try to enforce social media policies. But do we really think that there is a difference between private and professional social media? We think so but it’s not! People have to disclose which company they are working for or they should not write one word about this company and stay private.

When asking people about their profiles on social network sites like facebook I very often get the answer:

Uuuh good question, but I am prepared for this! I arranged this in a propper way: facebook is used privately and linkedin is used in the professional part of my life!

Sounds reasonable but reality looks different. If you look at those facebook profiles you see that people disclose their company name and their position in the firm. This is the moment when a private account is not private any more. In Germany there was a law suite about where the judges came up and said that the use of a company name and maybe writing that you want to get (business contacts) is sufficient to assume you are not a privateer and that you have to behave professional.

Following this argumentation the C-Levels need to be in control over what their employees do just in case a third party cannot find out ad hoc if a person is a private or a professional person when looking at posts or their profiles.

C-Levels need to have an overview, who is acting as an employee of their company (even when knowing it). And last but not least it means that C-Levels have to enforce and monitor the use of policies in these open spaces. Right now I believe that boardroom members do not realize that they have to extend their control to social media or tell their people that they may not act on behalf of the firm and have to stay strictly private.

But who wants this? Nobody! You would loose the viral effect of social networks!

I know that this is a provocating statement but I absolutely believe what I wrote. Any comments are highly appreciated.

Collateral Damage of Cyberwarfare is Unpredictable – Security 2.0

Posted on by
Reply

During the last quarter of this year I had a lot of talks with CISOs and CIOs from major European companies about the impact of cyber warfare on their organizations.

Most of them refused even thinking about the impact of cyber warfare, which I can absolutely understand since most of them are not working in the defense industry and thinking about warfare is nothing we like to do. Nevertheless I feel that everybody should be encouraged to think about this topic and what it means to civil organizations in general.

Remember the latest press releases about Stuxnet, Duqu and Flame. What was / is the difference between cyber warfare and traditional war concepts.

 

Artwork found on jewlicious

The main difference – and that is what makes it so important to me – is that collateral damages can never be linked directly to the armed conflict. In traditional warfare concepts you will always be able to see the collateral damage caused by a bomb. You will see it on TV. You will see it in the press. You will hear it on the radio.

With cyber arms no one really knows who fired the gun – remember distributed attacks – and who is the target. Companies or organizations experience that they are hit by a serious attack but never know if they have been really the target. They just feel like it.

But what does that mean to civil organizations and companies?The situation regarding cyber attacks is heating up. We increasingly see serious attacks which are linked to those three “governmental” viruses (Stuxnet, Doqu, Flame) or experience malicious code like the trojan code built by the German government, called the “Staatstrojaner”. After Stuxnet we saw a huge number of organizations that had security incidents linked to Stuxnet which underpins the opinion that the company might experience a collateral damage without even knowing that it is the result of a (cyber) armed conflict. One nationstate might attack the other using cyber arms turning off the light in small and medium businesses in other, not in this conflict involved, countries, disturb operations in hospitals and so forth.

In the future companies need to built their own “cyber shield” to protect themselves against this kind of “advanced persistent threat”. In case of Stuxnet, Duqu and others we can learn that these intelligent pieces of code have been distributed in a way where traditional concepts like IDSes, IPSes and firewalls have been useless. Distribution was done using eMails, USB sticks, removable media and other very simple vehicles. They did not cross traditional company borders.

The conclusion is: Perimeter security does not work anymore and companies need to rely on safeguards they will have to put around individual assets. We arrived at the absolute need to create asset based security mechanisms instead of big walls! This is another reason why I believe: We reached security 2.0! We need to change the way we are doing security. I absolutely know that I do not meet everyone’s opinion of this serious topic but nevertheless I encourage you to discuss it with me and discuss what you feel what security should look like in the future. Maybe I am wrong. Convince me if I am wrong!

Cloud Computing – Security versus Industrialization

Posted on by
Reply

Some of you asked me to write more about Cloud Computing and issues related to this topic from the security and forensics space.

I would like to share some experiences that I made during the last year mainly from (Public) cloud projects where my team and I discussed security issues with business owners but also with security experts. Sometimes I am really worried about what I see and hear.

The Mystery of Cloud Computing Hardware

I can’t resist to write this paragraph because it was so surprising to me. In one of the project kick offs an experienced penetration tester of major German security firm said:

“Hm – the stuff I saw in the presentation was ordinary IT – I am missing the cloud technology!”

I found this comment a little bit bizarre because it shows that there is not yet a common understanding of what Cloud Computing is.

According to the NIST definition it is not a hardware or software model. It is a service delivery approach for IT services. The conclusion must be: Never expect to see a hardware register or a software register that tells you “This is a Cloud”.

Key criteria to name a service a cloud service are:

  • On demand self service
  • Broad network access
  • Ressource pooling
  • Rapid elasticity
  • Metered service

Taylormade Public Clouds for each Client – lessons learnt about cloud strategy

Just in case a security advisor tells you:

Let me take a look at the cloud offering of provider XYZ and I’ll tell you what you need to change to be secure.

What is wrong about this statement? From my perspective this approach helps you to leave your path of industrialization and helps you to move back to IT manufacturing. I know that this is sarcastic thinking but the reason why I believe that you are a on a path of industrialization is that you are thinking about a highly automated delivery approach for IT when thinking about Cloud Computing. In case that you will tell your provider

  • “Implement this control”
  • “Create that report”
  • “Change authorizations in this way”
  • “Move my data to a single datastore”
  • “Do not host any other clients in the same environment you are using for me”

you are loosing the efficiency of a cloud service that is usually designed to run without paying attention to individual needs.

If you want to have your own resources you are stepping back to traditional service delivery concepts which are called “IT Outsourcing”.

Let me clarify my thoughts: It is the right idea to test your suppliers and find out whether they are able to deliver the level of security you need. But it is the wrong idea to start negotiating what they need to change to meet your expectation. The only moment when I feel that this is acceptable is the moment when your requirements would be accepted as general requirements to be implemented for each cloud user.

The consequence of negotiating hardware and software architecture as well as the delivery model and individualizations of a service model would be one of the following or even both in combination:

  1. Service Quality would remain the same like the contracted while other clients will benefit from continuous improvement processes.
  2. Cost model for the service will be higher than for the “standard service” due to individualizations.

I think you would not want to experience this.

Just in case that you experience breach of regulations you might want to discuss this with a cloud provider because complying with regulations is mandatory and not optional and is in the interest of the provider.

Conclusion

I want to summarize some basic Do’s and Dont’s when negotiating cloud service contracts:

  • Never change the delivery model – Do not try to change the IT architecture
  • Always test the service if it meets your requirements
  • Check for compliance
  • Never change the reporting format

I know that it attracts a huge number of consulting firms that tell you to negotiate changes with cloud providers to meet your expectations. Resist!

If you are talking about your own custom made cloud you can do whatever you want – but not with a public cloud service!

Security Goes Accounting

Posted on by
Reply

John D. Rockefeller IV, Chairman of the US Senate Committee on Commerce, Science and Transportation said:

“This guidance fundamentally changes the way companies will address cybersecurity … It will allow the market to evaluate companies in part on their ability to keep their networks secure.”

 What does that mean? 

To make a long story short: If your IT environment is critical to your business you need to consider the risk associated with it and evaluate potential risk caused by cybersecurity issues like DDoS, intrusions etc. and potentially include statements about this in your SEC filings.

The longer version of this short story!

Under „CF Disclosure Guidance: Topic No2. – Cybersecurity“ the SEC clarifies that existing disclosure requirements already include the evaluation of cybersecurity risks. They stated that potential investors may have an interest in evaluating a potential investment also based on security risk considerations.

Item 503(c) of Regulation S-K represents the heart of this guidance. Here registrants are requested to disclose significant risks that could affect investments in this registrant in a negative way, thus make investments speculative or risky in general. The guidance points out that regstrants shall disclose their risks associated with cybersecurity incidents or cybersecurity risks in general if they are considered tob e a material factor to the registrant.

As part of the evaluation registrants should consider likelihood and magnitude of those risks.

This includes various things like:

  • Outsourced functions
  • Business that might be affected by cybersecurity incidents
  • Already experienced cyberincidents

Where and how to disclose what?

Prevention / Software

Prevention of cyberattacks have to be registered in accordance with ASC (Accounting Standard Codification) 350-40, Intangibles – Goodwill and Other – Internal Use Software

Incentives / Penalties

To mitigate security breaches by providing incentives to clients have to be registered in accordance with ASDC605-50

Losses

Cyber Incidents may cause losses which have tob e registered in accordance with ASC 450-20, Contingencies – Loss Contingencies

Conclusion – Business Impact

First of all registrants need tob e aware of potential cybersecurity incidents and risks. This means that incident detection and response are absolutely mandatory to conclude on security breaches, but also a cyberthreat related risk approach is vital to determine potential monetary implications of a cybersecurity incident.

CFOs may tend to the position that IT itself is not critical to their business but as cybersecurity incidents become more and more serious and attacks become more and more focussed, a mind shift is essential to comply with accounting standards. Up to now there are only few companies that have a direct and effective link from their security function to their finance function. This is an essential requirement which can facilitate a mind shift in finance and security leading to improved skillsets in both functions.

Now CFOs have to understand security! With their 20-F filing at the SEC they confirm that they have taken security into their considerations and accounted for them propperly. This is not explicitely stated but implicitely. Since this guidance is in place no CFO can anymore deny the implications of security to their financial statements. SEC staff will question disclosures if in press and media registrants are mentioned together with security incidents that have caused business disruption. Certain industry sectors will not be able to deny anymore that they might be affected (e.G. Telcos seen as first line of defense by their countries).

The security function now needs to improve their accounting skills to better support the finance function regarding the compliance with disclosure controls and procedures. They need to understand the implication of security incidents on financial statements.

The last but most political consequence is that procurement organizations may take a look at the disclosures and add cybersecurity disclosures to their criteria list to register or remove suppliers from their supply chain. Nations may use this criteria to secure national supply chains.