OPINION: Why Security Is Killing Risk Management

   For more than a little while, I have been writing quite a bit about the difference between security and mitigation. In that time, the United States has been riddled with numerous security breaches in both the physical and cyber realms. Whether they were riots over allegations of police brutality or breached firewalls protecting sensitive data, our headlines seem to allude to a failing state of security.
 
   As a professional who is on social media quite a bit, I have witnessed, firsthand the hysteria surrounding these incidents. Every attack seems to be tweeted or blogged about to a point bordering on obsession. To be honest, I could not be more enthralled. Sure, these events are quite insightful for practitioners wherein we learn how to defend against similar attacks in the future or conduct them ourselves. But that’s not what excites me. No. I’m thrilled to see events which demonstrate the connection between the psychology behind security, the illusion of protection it provides, and how our confusion about the differences between security and mitigation has created our current security crisis.

Security vs Mitigation

   In order to understand how security is killing risk management, let’s go over a few key terms. First, as stated before, security is nothing more than a psychological construct to provide us with the assurance that we’ve done everything possible to keep us safe from various threats. Humans are very fearful of their demise and naturally, see threats to their survival as intolerable. Often, this feeling of security comes from repeating “safe” behaviors and providing what we assume are adequate protection measures. This, as we all know, is often based on untested data and the myth wherein victims can think in much the same way as their assailants.
 
   Protection is what we do proactively to deter, deter, delay, and destroy attackers, through mitigation. A great example is an executive protection detail. No successful detail operates on the assumption they can prevent attacks. Everything they do is with respect to the attack happening. This is what makes them very good at what they do and why so many in this field go on to become successful throughout the security industry.

   Security, as we know it, is often done with the mindset victims can prevent attacks. For example, we lock doors because we assume they will deny an adversary entry. What we fail to grasp is that the lock is there to delay the attacker so natural observers or victims can have sufficient time to detect the attack and take action. Many victims enter into a mindset where a locked door is all they require to be safe, without sufficiently comprehending the scope of the adversary’s capabilities and the target’s inadequate mitigation tools. Knowing the difference between security and mitigation is a great start to understanding the importance of risk management over just feeling safe. Heck. It’s the key to it.

The Important and Not-So Subtle Difference Between Threats and Vulnerabilities

   Speaking of risk management, there are a few other terms I think we should cover. Risk management has two fundamental keystones - threats and vulnerabilities. Often, we confuse threats with vulnerabilities in ways we don’t catch always. For example, I’ve seen people react to discovering a vulnerability as being one of the worst security events. This couldn’t be further from the truth. In fact, I find knowing there are areas where a potential bad guy can exploit to enable their attack to be quite insightful. Sure, we like to catch these vulnerabilities before an attack but that’s not always the case. What’s our insurance policy for such attacks? Planning ahead as if it’s already going to happen. What do we call that? Oh, that’s right - mitigation. Threats are merely bad actors who use vulnerabilities to conduct kinetic operations against their targets.

   Sometimes, I feel as if we forget that catching bad guys is the goal of effective protection measures. The threat will come and you should be prepared long before they do. You could plug every hole you can find but ultimately, as I heard throughout my military career, “the enemy gets a vote”. He will find a way in, inevitably, that you will miss. You should plan as though Murphy’s law is actually true. Often, no matter what you do, you may not catch the bad actors. This leaves you with having to take away as much power from the enemy’s punch as possible. Whether you’re reinforcing concrete or hardening firewalls, the premise is the same - if you can’t beat ‘em, make it hard as heck for them by shoring up existing vulnerabilities and anticipating the impending attack.

   Perhaps, two of the most important and misunderstood terms in risk management are probability vs possibility. I see you over there laughing. If you are, then you probably know exactly why this is such a pet-peeve of mine. With every major security event, there’s always someone on social media who declares “the end is nigh”. They begin rattling off how bad the breach was and then end by telling you how bad it’s going to get. Very few times, do you actually receive any sort of mitigation advice. If you’ve been following me since the now-infamous OPM hack, you’ve no doubt heard me prattle about this.

   Most of the consternation about the state of security is centered around our confusion between probability and possibility. This was perfectly illustrated by a not-so recent story about the Islamic State capturing an airbase which had a few MiGs. Immediately, social media erupted with reports and predictions about ISIS flying MiGs very soon. If you know anything about training modern pilots and how the U.S. conducts targeting operations, you know this is not likely to happen. In other words, the probability of MiGs flying over ISIS territory is very small. Sure, it’s possible but not likely. A reality star who isn’t a narcissist is possible but not very probable. This is important to remember because security measures often fail based on how possible something is rather than it’s probability. Countless resources are expended on something that is not likely, while we ignore the threats we encounter daily. Successful security organizations employ measures based on a balance struck between a high probability of attacks happening always and the needs of the end-users.

Protect Yourself By Understanding Your Risks

   Risk management is nothing more than understanding what you have, whether you can lose it, who or what could take it from you, and what it will take to get it back or recover from its loss. In essence, risk management is nothing but acting proactively against a probable threat and ensuring you’re able to protect and if need be, recover from its loss or damage. The problem is, if social media is any indicator, many companies and organizations don’t do this. Again, let’s briefly discuss the OPM hack. I saw the eyeroll. I know we don’t have all the facts. I get that. I digress.

   OPM was allegedly hacked by attackers who stole sensitive data on federal employees. This is, understandably, big news. As it should be. The attackers were able to gain the information by attacking non-patched Department of Interior servers. The information, according to folks formerly in the intelligence community, is extremely valuable counterintelligence information and compromise is completely unacceptable. What’s striking is, as I have noted on Twitter, the servers were connected to the Internet and vulnerable to outside attackers. Yet, neither OPM or the Department of Interior bothered to patch the servers or encrypt their data. They, presumably, thought the threat of attack was minimal and did not require adequate mitigation. Imagine the likelihood of uproar had they just simply encrypted the data they stored. The government did everything I said earlier not to do.

   So what’s the answer? Simply, don’t do security but do mitigation. Being proactive with protecting yourself and your assets doesn’t require hiring Blackwater/Xe to track down Chinese hackers before they strike. No. Tailor your protection to what you will do when the attack occurs, the mission and goal of protection (detect, deter, delay, and destroy attackers), and what it will take to recover from the attack. Balance your measures between the likely or probable threats versus those that are possible but not highly likely. Before venturing off into the great abyss of security’s greatest enablers (fear, uncertainty, and doubt), I implore you to “see the light” and find the “truth” in mitigation through risk management.

INFOGRAPHIC: The Cybercriminal Underground

TrendLabs, a leading information security firm, published this really awesome infographic about the cybercriminal underworld. It's certainly worth a look.

                                                    (click to enlarge)

INFOGRAPHIC: Twacked! When good Twitter accounts go bad.

Given that we do so much communicating via social media about a variety of topics both personal and professional and the permanence of the content we post, it should be no surprise that those social media accounts are being sought out more and more by nefarious parties. The question is what are you doing to protect your account.

                             (click to enlarge)

Twacked: When Good Twitter Accounts Go Bad infographic by NowSourcing.

VIDEO: Security Threats by the Numbers - Cisco 2013 Annual Security Report

The kind folks at Cisco published their Annual Security Report. What I like about what they did is they chose to publish in a video infographic format. As you can tell, I'm a HUGE fan of infographics. However, if you're a stickler for PDF reports, I'll have a link below the video of the entire report.

Some interesting facts:

• Global cloud traffic will increase sixfold over the next five years, growing at a rate of 44 percent from 2011 to 2016.
• Only one in five respondents say their employers do track their online activities on company-owned devices, while 46 percent say their employers do not track activity.
• 90 percent of IT professionals surveyed say they do indeed have policies that prohibit company-issued devices being used for personal online activity—although 38 percent acknowledge that employees break policy and use devices for personal activities in addition to doing work.
• Cisco’s research shows significant change in the global landscape for web malware encounters by country in 2012. China, which was second on the list in 2011 for web malware encounters, fell dramatically to sixth position in 2012. Denmark and Sweden now hold the third and fourth spots, respectively. The United States retains the top ranking in 2012, as it did in 2011, with 33 percent of all web malware encounters occurring via websites hosted in the United States.

To read more of the report, click here.

INFOGRAPHIC: Profile of a Cyber Criminal

(click to enlarge)

Profile of a Cyber Criminal infographic

INFOGRAPHIC: Worst US Cities for Online Crime

(click to enlarge)

The Worst Cities for Online Crimes infographic

INFOGRAPHIC: Everything You Ever Wanted To Know About Facebook Security

I found this infographic on Pinterest.com.  Some of this may be old news.  In light of what we know about Twitter's latest data breach, I wonder how Facebook has fared under similar attacks.  If you have any knowledge or even a broad understanding, we would welcome any commentary you might have.

Source: scribd.com via Return on Pinterest

INFOGRAPHIC: How To Rob Banks In The 21st Century

How to rob a bank in the 21st century infographic

Hire Anonymous! - Cyber Threat Summit 2012 by paulcdwyer

Paul C Dwyer President of the ICTTF International Cyber Threat Task Force discusses the concept of identifying talented individuals (hackers) before they seduced into a world of cybercrime. He discussed traits and characteristics in such vulnerable minors such as Aspergers Syndrome and references the case of Gary McKinnon.

INFOGRAPHIC: How Does Your Mobile Device Security Stack Up?

I found this little gem on the social media blog, Mashable. 

VIDEO: Wi-Fi Security by disconnecters

I found this little gem on YouTube. Give it a look. The only its certainly very interesting with the relative ease it takes to hack into Facebook and other social media sites. Here's the description from the folks at Disconnected on YouTube.

See how your Google and Facebook accounts can now be broken into through social widgets and see a new feature in Disconnect that protects you. Get Disconnect at https://disconnect.me/. Contents: 1. Wi-Fi Snooping (https://youtu.be/g5mFbgxMHqQ?t=26s) 2. Widgetjacking (https://youtu.be/g5mFbgxMHqQ?t=1m32s) 3. Disconnect Security (https://youtu.be/g5mFbgxMHqQ?t=4m10s) Disclaimer: While we think understanding how quickly and easily a nonexpert can compromise your security is important, the attack shown in this video may be considered wiretapping where you live and shouldn't be tried at home except with consent! Credits: Written by Brian Kennish Filmed and edited by Dan Kwon Animated by Brian Kennish and Dan Kwon Music (http://soundcloud.com/folkmusicforrobots/widgetjacking) written and recorded by Brian Kennish Portions filmed at Coffee Adventure in Milpitas, California (https://www.facebook.com/pages/Coffee-Adventure/361643370157)

Cyber Defense: The facts associated with the hacker mindset

I made a really awesome contact with Terry Beaver, a cyber security expert to say the least.  During a recent conversation on LinkedIn, he directed me to his blog, Cyber Integrity.  I was immediately impressed by the first article I saw.  I've included the link to the article and his blog throughout so you can check him out.  Terry, thanks again for continuing to push innovation in the cyber security realm.

The facts associated with the hacker mindset:

1. Modern computers are finite state machines – they do not “think.” Hackers are highly intelligent and well skilled at their craft. We must respect that fact.
2. Information is a commodity and tradeable.
3. What man can conceive – man can and will hack
4. Retrofitting security onto existing platforms always fails – not withstanding that most security systems were not designed from the inside out beginning with understanding the hacker culture and methods.
5. Teenagers have far more time and more energy than adults and will focus on what is cool. The good hack is very cool. Bragging rights are cool.
6. While this statement was writing, attack vectors were exploited all over the world.
7. In the commercial world; security is considered not a revenue generator but a revenue drain. In government, it takes second place to red tape. Too many government and business leaders are indifferent to security and at best, it is an afterthought laden with reactive vs. proactive behaviors.
8. Hackers operate under a meritocracy – clue matters more than prestige and points are scored with their peers for successful hacks.
9. Information has a shelf life and is subject to being exploited for hacker benefit.
10. Intellectual property and sensitive data is a means for me to support my lifestyle.

Postulates of a Hacker:

1. Understanding how things work is an advantage over ignorance.
2. Curiosity and ego are more powerful motivators than money.
3. Nationalism is more important to hackers than ‘props’ (AKA don’t hack where you live – PRC is an exception).
4. Not all people are rational, therefore choices are not predictable.
5. Finding flaws and vulnerabilities requires an un-structured approach, out of the box thinking. This is contrary to a U.S. Government cleared engineer who follows structured guidelines.
6. Success is relative to your environment and your alcohol intake or abusive behaviors. Hackers do not follow social norms and are very self centric in behavior. It may not be disciplined but often the “hack” works.
7. There are no borders on the Internet
8. Accountability is an effective “deterrent” against “insecurity” – applies to you, not I. If you fire me up, I will hit (hack) you.

The Hacker’s conclusions:

1. If you turn it on and connect it, they will come – and try and take it.
2. It is curious how very smart and knowledgeable people will beat disciplined trained people and then watch the disciplined ones hide their failures.
3. The hacker mindset is learned by experience, not by rote or title. Our status is measured on our successes, not on your GSA rating or rank.
4. Capture the flag is the best paradigm for understanding security.
5. The race is on to achieve the rapid penetration, not to the organized or disciplined standard or followed policy.
6. Conventional defenses in “cyber” warfare are easily circumvented and those that set conventional policy are the easiest to hack.
7. If someone wants to breach your security seriously or badly enough – they will.
8. The best defense is one that never blinks or sleeps or needs a break, is always on and is real time. Problem is, that is a big challenge for people that have secure benefits, families, run errands for the wife, and go home on holidays and weekends.  Hackers sleep only when they need to.
9. Closing the barn door after the horse is gone does little good – if one program costs hundreds of millions of dollars to create innovation – and the R&D is acquired with very little work and time by an adversary, then the hack has met its goal and the owner of the R&D and his program has been compromised. It isn’t a simple task, for example, to fund and redesign a modern warfighter component that was years in the making once an enemy acquires your design.
10. eCommerce is insecure – but so is regular commerce including banking (lead pipe rule)
11. Advancing and emerging hacker technology always defeats information security policies.
12. Risk analysis matters more than policies and compliance – stopping an attacker in their tracks on the next hack is far more important that compliance.
13. There is no accountability for poor security – only excuses.
14. Competent adversaries exist and are growing in ranks (ATM hacks, Heartland, etc.) Cyber threats are increasing not decreasing.
15. Confidentiality is a function of time and energy.
16. Bureaucracies are threatened by people who want to know how things work and hackers demand the right to know.

Cybersecurity | Senator Lieberman speaks before Senate about the need for cybersecurity legislation by JoeLieberman

The U.S. Senate Wednesday rejected a second chance to move forward with critical cybersecurity legislation supported by top-ranking members of the nation's intelligence, national, and homeland security communities. By a vote of 51-47, the Senate failed to approve a procedural motion to end debate on the bill, S. 3414, and move to a final vote. Read the full text of the Senator's statement here: http://www.lieberman.senate.gov/index.cfm/news-events/news/2012/11/senate-rejects-second-chance-to-safeguard-most-critical-cyber-networks-protect-economic-national-security

Senator Feinstein on Cybersecurity by SenatorFeinstein

Senator Dianne Feinstein spoke on the Senate floor on Nov. 12, 2012, about cybersecurity and the need to protect the United States from devastating cyber attacks.

South Carolina Governor Discusses Cyber Intrusion by ThePentagonChannel

South Carolina Governor Nikki Haley talks to TPC anchor SSgt Josh Hauser about South Carolina's recent cyber intrusion and what help is out there for those affected. http://www.dvidshub.net/video/192098/south-carolina-governor-discusses-cyber-intrusion

DEA Warns of Extortion Scams Using Online Pharmacies and DEA Agent Imposters

Buying prescription drugs online has always been a risky endeavor.  Customers have been duped by  fraudsters who ship placebos and collect their cash.   Or they may not ship at all and just keep the money.  As if that weren't bad enough, the Drug Enforcement Agency is now claiming people are being foiled again using a new scheme.

Impersonating DEA agents, the criminals are using these transactions to call the customers back and threaten arrest for violating drug import laws if they don't wire money to the fraudsters.  Some people have caved in and paid the money only to realize the scheme too late.  Who falls for these crimes?  The elderly usually are easy prey to these.  This is due in part being the largest consumer base of online pharmacies due to the availability of less expensive drugs sold from overseas merchants.  Often, they do not understand the drug import laws and are more likely to not question seemingly authentic authority figure to avoid further trouble.

According to The Denver Channel,

“I’m 52 years old. And I feel like the stupidest person on the earth. Why didn’t I listen to my husband. Why didn’t I do something different? Why am I so darn trusting after all these years?” said a Jefferson County woman who asked to be known only as Elizabeth.

She's cooperating with the DEA now and said she had purchased a weight-loss product online earlier this fall, and soon started getting phone calls at home from three different men, claiming a connection with the DEA.

Elizabeth said she wired nearly $10,000 to individuals in the Dominican Republic, believing she was avoiding jail time.

As you might have guessed or known, it is a crime to impersonate a federal agent.  The DEA is asking anyone receiving a telephone call from a person purporting to be a DEA special agent or other law enforcement official seeking money to refuse the demand and report the threat by calling 877-792-2873.

For further information, the DEA has a page regarding the scam at:
http://www.deadiversion.usdoj.gov/pubs/pressreleases/extortion_scam.htm

UPDATE: Lost Drone or Trojan Horse?

So if you've been keeping tabs on the lost UAV in Iranian hands, you've probably read recently the Iranian claims that they brought the bird down with "electronic warfare".  Many experts have pondered on what techniques could have been used to bring down a "stealth" drone.  A popular theory has consistently been that the Iranians have spoofed the Global Positioning Satellite link between the UAV and its base and used that technology to "guide" the aircraft to their base in Iran.    It's even supported by a report done by the US Air Force on UAV vulnerabilities.  In a nutshell, the Iranians and these experts are claiming the Iranians tricked the UAV into believing the Iranians were the American base in Afghanistan in which it was supposed to be landing at.  What would this entail?  One theory I came across, via a comment on Bruce Schneier's original article on the lost UAV, was the Iranians could have used a mixture of high-gain antennas, a microwave link, and two aircraft following at the same speed as the UAV.

I have some issues with this theory from an intelligence standpoint, as it supposes a lot about the Iranians and their capabilities.

1. It would lead you to believe the Iranians have a need to bring down a drone which is simply taking pictures that any high-resolution satellite could pick up albeit not in real-time.  The Iranians have known for quite some time that we've been using our technology to spy on them and what areas we would be "curious" about.  Heck, any fourth grade student whose ever played Call of Duty knows that as well.
2. Second, it presumes the Iranians have the intelligence to know when exactly a UAV is flying and over which area.  Where would they get this type of information?  We have captured ZERO moles inside our government who would/could link sensitive drone technology/intelligence to Iran.  They would require an immense amount of verifiable data for such a project to be undertaken undetected and implemented almost flawlessly such as flight patterns (remember this is a "stealth" aircraft SEVERAL years in the making), satellite data which no other foreign government has used as of yet, real-time drone locations, and types of drones being flown.  Keep in mind the Beast of Khandahar wasn't "discovered" until 2009 at a base in Afghanistan. 
3. Third, that it would have the time to detect and dispatch the necessary equipment to those areas.  Even if it had the intelligence necessary, it has little in the ways of "stealth" technology to test this against let alone test it without raising eyebrows in Washington or Tel Aviv. 
4. Lastly, the Iranians never once thought to employ or use this in their campaign against the United States in Iran.  Seriously, why is this the first time the Iranians have showcased such a bird?  This presumes this is the first "stealth" UAV to fly over Iranian territory.  Surely, if they were as good as some pundits would have you believe, where are the other "stealth" drones?  I know - Iran, now claims to have seven other US drones.  What we know for a FACT is they have one verifiable drone in their custody.  How hard would it be to recreate a mock-up and say they "captured" the others?  Why now has the President requested just this one particular drone?  Because they only had this one and he already got what he wanted when it crashed.
5. Just because something is possible does not make it plausible.  It is possible I could one day become the CEO of Microsoft, but given my lack of experience as the CEO of a major corporation, it is not plausible.  The same can be said of the Iranians.  They are great at many things.  And are a very good adversary.  However, this is a country that had a 7 year war with a country that took us a few months to overrun (barring the pseudo-quagmire that later ensued with the help of our Iranian "friends").  Having such technology could be useful, in many arenas and operational theaters for Iran, yet it only provides "fruit" for them now?

If I were in the business of punditry and consulting for major media networks, I would stick to the "massive intelligence failure" story.  However, I'm just a guy with a blog so I'll stick with what's plausible and wonder how a multi-million dollar "stealth" aircraft flown by the largest intelligence apparatus has a "mechanical failure" over an enemy's territory whose nuclear development program was brought to its knees by a computer virus invented probably by the aforementioned intelligence agency.

What happens online - NEVER stays there....

Pay VERY close attention to what I have to say:

1. The information you see below is not stored on our site and is only visible to you.  I found this site while looking for resources on background check (mostly locating skips).
2. The information was allocated using information (i.e. torrent files you downloaded, IP address) your computer provided when you, someone in your home, or someone who gained access to your WiFi network downloaded those files.
3. I am publishing this tool with the hope people will gain a better insight into how their activities can and are being monitored on the Web via information they provide sometimes unknowingly.
4. There is a removal tool.  However, it only removes your information from their site.  I HIGHLY, HIGHLY, HIGHLY suggest you use it and never have a need for it again.

My, how times have changed....Haven't they????....

Saw this gem on Twitter......Can't remember from whom (sorry)......Makes you wonder how far we've come with our perceptions of hackers and the threat they pose......

Chinese Really Dig Cyberwarfare...You Think?

My ultra-favorite security magazine Security Management has written an articlle detailing the testimony of certain government officials and contractors before the U.S.-China Economic and Security Review Commision. They informed the panel "that the Chinese government has embraced cyberwarfare and is directing its intrusions at U.S. government and critical infrastructure networks." According to Colonel Gary D. McAlum, director of operations for the Joint Task Force for Global Network Operations,

"The People's Republic of China has concentrated primarily on cyber-reconnaissance, particularly data mining, rather than cyberattacks."

What about all of the attacks originating from China we've been reading about? Don't fret. The Chinese have set a goal of 2050 to achieve "electronic dominance" through attacks on information infrastructure.

The DoD won't come out and say the world's second largest econoomy is vying for supremacy through hacking, it did note "a 31percent increase in malicious activity on its networks from 2006 to 2007." What attraction does cyberwarfare have fo such a country as China? It provide anonymity and an "asymetrical advantage", according to Dr. James Mulvenon, director of advanced studies and analysis for Defense Group, Inc..

Commission Co-chairman Peter T.R. Brookest cited attacks last spring on Estonia recalling that it wanted to evoke the collective defense clause of the NATO Charter and said "this is a question of escalation" moving from non-conventional to conventional, i.e. military, responses.

Mulvenon said there's no reason why the United States should restrict itself to trying to deter cyberattacks electronically. His next remark should sound familiar.

"We should ... begin with the premise that we have all the tools of ... national power, and in many cases it might not be to the U.S. advantage to respond to an electronic or cyberintrusion or cyberattack simply in that realm," he said. "We may, in fact, want to take advantage of escalation dominance that we have in other elements of national power, whether it’s military or economic."

CyberCommand anyone? What about this little tidbit from the article?

Michael R. Wessel said he fears that the perimeter security methods such as routers and firewalls used to protect against network intrusion are produced overseas, increasingly in China." Can we in fact have a secure perimeter," he wondered, "if in fact the Chinese are helping to build that perimeter?"

The nasty Cisco routers are keep creeping back into the blogosphere. For more information from Security Management, click here.