Archive for the ‘Risk Management’ Category

An Unbreakable Internet of Things

November 18, 2015 Leave a comment

I don’t read every press release that comes down the wire. But when I see one from a cyber security company called Secret Double Octopus–no lie–I take notice.

Secret Double Octopus. This has gotta be good,” I thought to myself.

The real thrust of the press release is this. Encryption is strong, but the infrastructure supporting it isn’t. Therefore secrets get leaked. However, by “shredding” the data and sending it through different routes, any network traffic that is intercepted is unusable.

That’s good, but there is more. There is another sexy idea in the announcement by Secret Double Octopus, and that is a world without keys. Keys are the cryptographic shorthand for the authentication technologies that lock and unlock secure communications across a network. Keys are the weakest link in the otherwise bulletproof encryption architectures we use today. So if we can eliminate keys and key infrastructure, we take away the biggest source of risk.

S2O LogoSecret Double Octopus claims to do just that using mathematical theory already several decades old and well-respected in the academic and cryptographic communities. In layman’s terms, this “new” technique is called “secret sharing.” The core of the solution is to starve the attacker of sufficient information for any meaningful computation. In geek speak, “you cannot solve an equation of two variables.”

Bottom line: even after capturing some or all of the data transmission, the attacker lacks the ability to solve for the variables.

Securing our most sensitive data, and eliminating troublesome keys is the mission of Secret Double Octopus.

The impact could be huge. Today banks know that their PKI (public key infrastructure) is not secure enough for their most sensitive transmissions. And the demands of the Internet of Things have already strained PKI to the breaking point. Secret Double Octopus (I love saying that!) comes to the rescue, potentially enabling billions of secure, keyless transactions between cars, trains, factory machines and toasters to the cloud and to private networks.

The coming months will be fun to watch as this new startup out of Israel demonstrates its capabilities and attempts to disrupt the security and networking worlds.


Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

November 16, 2015 Leave a comment

Famed security adviser, Steve Hunt explains, “Why I Hate Security.”

These criticisms of cybersecurity and risk management are nothing new. You’ve heard them all before, or muttered them under our breath. If you are a business executive, you’ve shaken your head when you’ve seen it. And if you are a security professional, you’re guilty of more than one.

  • “I hate security.” love-hate-security-2014
  • Much of what passes as security is no more than window dressing, or, as Bruce Schneier has called it, Security Theater, with its posturing, phony controls and security guard bravado.
  • Not a week goes by that a CIO or other executive hears a pitch from a security vendor, whose eyes are bugged out as their words ooze fear, uncertainty and doubt.
  • Security directors, including some of the most esteemed CISOs, can be seen from time to time running the halls, arms flailing overhead, screeching “The sky is falling! The sky is falling!”
  • Risk management experts talk for hours about the “fuzzy logic” of measuring impact and likelihood, using game theory, and generally talking until the audience goes numb.
  • And when the big one happens, when the big data breach hits, as it inevitably does, security pros and business executives alike point fingers at budgets, and internal politics, and vendor missteps for blame.

So I am here to give you the straight dope. To address all of these complaints once and for all. To put the discussion to rest so we can all move on.

Security is all those things.
Security IS often mere theatrics.
Vendors DO commonly sell FUD in place of value.
Risk management experts DO often employ pseudo science “to definitively calculate” intangible and unknown risks.
CISOs DO sound like Chicken Little when they predict the things we simply aren’t prepared for and need more budget for.
And security pros DO like to find a scapegoat.

All of these things are true, and security deserves its criticism.

I personally, however, look at it differently. Security is something special to me. For example, when I see a CISO work his or her way out of a messy data breach by responding quickly, limiting impact, and recovering smoothly–it gives me a very satisfied feeling.

Moreover, when I think of my own career as a security professional, I think of the truly costly and damaging attacks that we’ve avoided by working hard to improve continuously.

In the early 1990s I worked at a financial institution in Chicago. We got hacked–before we even had the word “hacked.” The bulletin board server was fine yesterday, but today it isn’t, and the audit log is gone. As we scratched our heads an ol’ timer leaned over us and said, “Looks like you got a security problem with your computer.”

I was stunned. I had never considered security and computers in the same thought before. My father was a locksmith, and I had worked my way through college and grad school at the University of Chicago with my own locksmith company and building PC clones on the side. So when I heard those words, a light bulb went on. I thought to myself, I know security, and I know computers. Right then I began retooling for a career in computer and network security. Right place. Right time.

So security gave me an entree into the world of the fledgling Internet, and into the world of creating value for the business in ways I never could have imagined before that fateful day seated cross-legged on the floor, under a desk, staring blankly at the back of a bulletin board server.

Security also did much more than that. It solved real problems. From the script-kiddies of the ’90s to the state sponsored hacking of the 2000s, security gave hundreds of professionals an opportunity to fight in very foreign territory–guerrilla IT warfare. We created a new way of operating the Internet, and we opened doors permitting businesses to create value and revenue in new ways. For example, the security community put its collective head together limiting loss sufficiently to make online commerce (once called e-commerce) a reality.

Converged approaches to physical and cyber security for the decade beginning 2001 created an amazing new world of inter-networked security cameras, intrusion detection, gates, fences, locks, employee ID badges, laptops, personal devices, and home automation controls. Everything was suddenly networkable because the basic questions of authentication and authorization (who are you? and, what are you supposed to do?) were answered by security professionals.

Today, we are coming up with clever ways to extend the work we did previously and apply it to the Internet of Things. Soon, we will see alternatives to keys and locks being used widely in the secure networking of any and every common device at home or sensor on a locomotive. Homes will operate more efficiently and businesses will make countless billions in new revenue because of IoT. This is possible because the security industry truly is doing its best.

Does security have its foibles? Is it security theater laced with FUD, bad logic and blame? Yes. But does it create value that outweighs its sometime silliness? Yes it certainly does. For me personally, it has provided me many benefits and opportunities, making me a better philosopher of technology, a better technologist in general, a better citizen of the world, a better provider for my family.

So the next time you sit through another ridiculous vendor pitch about all the bad things that will happen if you don’t buy their product, use your phone to securely transfer funds at your bank, or buy a gift for your kid on Amazon, or plan the next product launch with confidence that the security pros have your back.

Avoid the ROI trap

September 22, 2014 1 comment

When legendary former Gartner analyst, Vic Wheatman, and I discussed our latest webinar, we tackled the issue of creating and measuring value.

After the webinar ended, my wheels kept turning as I considered some research I’d completed recently. For one thing, I learned that CEOs think security executives are excellent security managers — but downright rotten business-people.

source Getty Images

source Getty Images

Specifically, CEOs complain that security executives still have the mentality of “keeping bad things from happening” rather than the more business-minded approach of “adding value to the business.”

Here’s the trap. Solving a security problem under budget is not a matter of “finding the best deal.” It is a matter of solving the problem most cost-effectively.  Click here for the recorded webinar.  And read more HERE.


Your CISO will soon need more clout

September 4, 2014 1 comment

If consumers weren’t skittish enough, Home Depot recently joined the rapidly lengthening list of big box retailers experiencing sometimes prolonged data breaches: Albertson’s, Dairy Queen, The UPS Store, Sally Beauty, Target, Michael’s, Neiman Marcus, P.F. Chang’s and SuperValu.

More than a few Chief Information Security Officers (CISO) must be nervous. In fact, it may be forcing corporations who do not have a CISO to rethink that strategy. Often the CISO position is folded in with or serves under the Chief Information Officer (CIO) or even, if the CIO reports to the Chief Financial Officer (CFO), as is the case in some organizations, two layers under the seat of power. So, the person charged with security risk management may not have the authority to get things done.

With the recent spate of high profile data breaches, translating the message up the chain or even the perception that the CISO’s job is not important enough to be a direct report may not cut it anymore. Shareholders and customers want answers.

Consumers also are flocking to convenient online sites, where they have few other choices than to use a credit or debit card.

Data breaches, whether prolonged or short lived, especially those that compromise customer information, are black eyes that eventually will force consumers to keep their credit and debit cards at home. Having the man or woman in charge of mitigating IT risk fairly far down the food chain doesn’t look good, no matter whose ear he or she may have.


GRC is not about Risk or Compliance

August 26, 2014 3 comments

In my earlier post, “Security is Not the Point,” I explained why to most people security is an annoying layer of cost and inconvenience. I said that no one wants security, they want the benefits of security. But if security is not the point, what is?

The last time you had to do some tedious paperwork, you were no doubt muttering under your breath that you’d rather be doing the actual project and not filling out forms and writing a report. We are all like that. Documenting tasks and processes is not fun.

Compliance is like that, too. It is considered the necessary evil, the tedious paperwork required by “the powers-that-be” to meet some basic level of due care. Compliance requirements define the “minimums” for demonstrating that the business is being run responsibly.

However, compliance has a more attractive cousin. Read more HERE.


Anonymous Tactics (from the attacks reported on by Imperva)

March 6, 2012 3 comments

I am also the editor of the Neohapsis Labs blog. The following is reprinted with permission from

by J. Schumacher

Security professionals have been following the collective of Internet users calling themselves Anonymous for a few years now as they cause cyber mayhem to understand their tactics.  There were two well written publications in recent weeks that caught my eye, The New York Times “In Attack on Vatican Web Site, a Glimpse of Hackers’ Tactics” and Imperva’s “Hacker Intelligence Summary Report, the Anatomy of an Anonymous Attack”.  These articles shed light on how Anonymous takes a call to arms, recruits members, and searches for action.  After reading these articles I kept thinking about current state of the Internet and wondering about the future of Anonymous’ with the cyber pandemonium it creates.

Taking the Imperva report as factual, the collective group of Anonymous has an approximate 10:1 ratio of laypeople to skilled hackers, which I believe limits the sophistication of attacks. I say “collective”, as targets for attacks are not often given from above, but must be approved or agreed upon by the masses before being launched.  One very interesting note in Imperva’s report was that the attacks Imperva monitored in 2011 were not utilizing bots, malware or phishing techniques for exploit, but end users actively running tools or visiting special web sites to aid in the attack.  There was a high level of public recruitment through social media of Twitter and Facebook, which can also act to inform the victim before the attack hits properly.

The New York Times article mentions that the attack on the Vatican took 18 days to gain enough recruitment and automated scanning tools were used for reconnaissance on the Vatican virtual front during this time.  In this attack Anonymous was seeking to interrupt the International Youth Day by a certain date, but when that failed Anonymous changed tactics to widespread distribution of software for Distributed Denial of Service (DDoS) so they could to hit the Vatican with a thousand person attack.  There were mixed statements from Anonymous and Imperva (who was a contractor for Internet security monitoring) regarding whether any sites across the globe were truly taken offline for any amount of time.

I think that Rob Rachwald, Imperva’s director of security, was quoted best by The New York Times article as saying “who is Anonymous?  Anyone can use the Anonymous umbrella to hack anyone at anytime”.  However, I believe Anonymous has currently reached their collective peak and will never be the same as in its early 4chan or even the 2008 days.  However, by no means has the world heard the last of Anonymous, as people will be claiming affiliation to the collective “group” for a very long to come, and I believe it will also continue to evolve over time.  How this change takes place is going to be exciting to see as Anonymous claims an “ideas without leaders” mentality and relies on general public for consensus of missions.

Recently, an interesting report from Symantec also came out about how Anonymous affiliates were tricked into installing the Zeus Trojan by a Pastebin tutorial covering how to install and use one of the attack tools, the Low Orbit Ion Cannon (LOIC), to support in DDoS attacks.  Established Twitter handles for Anonymous contributors (YourAnonNews, AnonymousIRC, AnonOps) have tweeted that this was not done by Anonymous. But, with no leadership accountable (due to the collective nature of Anonymous), there is nothing to say whether this is a true, whether another entity is sabotaging Anonymous public fanfare, or if it was simply someone taking advantage of free publicity to trick users into installing malware.  Since what many call the start of Anonymous in 2008 (Scientology attacks), there have not been any other large scale compromises of the those supporting attacks through infected tools, but this new activity could hurt the future of Anonymous recruitment and public support.

Depending on whether this recent instance of infected tools was a fluke, I see the future of Anonymous involving with skilled hackers increasing through a Wild West collaborative of honing their talents, while keeping the true base of Anonymous as largely unskilled hackers.  The skilled will, at times, directly and indirectly work for entities (such as large scale crime syndicates as well as private entities) to whom they are lured by big pay for work that will never be reported in any news paper.  The skilled hackers will still participate in Anonymous causes, and they will also enable other Anonymous members (through writing attack tools, scripts or apps), while also keeping knowledge of their well paid exploits limited to a smaller private offshoot group.  These offshoots will put dedication into advanced exploits that require some financial backing to set up (such as servers for social engineering, injection data repository, proxies and bots) but these exploits will most likely never be communicated to the larger Anonymous collective or used for social causes of the masses but rather private gains.

At the same time though, the unskilled hackers, making up the majority of the group, are essential to Anonymous at large for bringing attention and support to causes, identifying weaknesses in networks, performing DDoS attacks and being a overall distraction and crowd to hide in. It seems bots will be unnecessary and replaced by humans where it is simpler.  A large army that is not connected (outside of the odd one-off message to a public forums or social media) provides for a large pool that the authorities must sift through in finding the dedicated Anon.  The collective group of Anonymous has showed support for many social causes, like the occupy movement and free speech outcries from proposed Internet legislation.  At the same time Anonymous seems to have very publicly promoted every hack and breach that has been reported since 2010 whether the data exposed was government, private industry or public citizens.

I like to think of myself as a practical, but at times wishful, person.  As I see it, the core ideology of the Anonymous’ movement is not going away, as their cause is not so much new as is the platform for their disobedience.  There are some basic controls that organizations can implement to protect themselves from a virtual protest, whether the risk is from DDoS attacks or exploits of un-patched public devices.  In the near term, I do not see a high probability of Anonymous becoming a super group of hackers that perform sophisticated attacks in the likes of Stuxnet. Nor do I see the possibility of a large scale take down of critical infrastructure.  There will always be a risk and sometimes possible threats to critical infrastructure through technology but this risk can be largely mitigated through proper assessment and mitigating controls.

Side note –

If the recent instance of infected tools will continue on other causes then I believe we have seen the end of wide support for Anonymous.  Distrust has always been a concern to involved members with very recent arrests across the globe for LulzSec. Anonymous will need to do internal damage control to prevent the collapse of the collective group and a public distrust in support for causes brought up by the Anons.  Even if hacking group Anonymous goes in a different direct the damage has been done and Internet society can never reverse the damage physiologically from the last 5 years.

As writing this post there was news coming out that a prominent member of Anonymous, Sabu, along with 5 others have been arrested by the FBI.  We will have more details once the dust settles a bit and all news sources can be processed, stay tuned.

Groundhog Day in the Application Security World

February 1, 2012 4 comments

I am also the editor of the Neohapsis Labs blog. The following is reprinted with permission from

By Michael Pearce, a Security Consultant and Researcher at Neohapsis

Throughout the US on Groundhog Day, an inordinate amount of media attention will be given to small furry creatures and whether or not they emerge into bright sunlight or cloudy skies. In a tradition that may seem rather topsy-turvy to those not familiar with it, the story says that if the groundhog sees his shadow (indicating the sun is shining), he returns to his hole to sleep for six more weeks and avoid the winter weather that is to come.

Similarly, when a company comes into the world of security and begins to endure the glare of security testing, the shadow of what they find can be enough to send them back into hiding. However, with the right preparation and mindset, businesses can not only withstand the sight of insecurity, they can begin to make meaningful and incremental improvements to ensure that the next time they face the sun the shadow is far less intimidating.

Hundreds or thousands of issues – Why?

It is not uncommon for a Neohapsis consultant to find hundreds of potential issues to sort through when assessing a legacy application or website for the first time. This can be due to a number of reasons, but the most prominent are:

  1. Security tools that are paranoid/badly tuned/misunderstood
  2. Lack of developer security awareness
  3. Threats and technologies have evolved since the application was designed/deployed/developed

Security Tools that are Paranoid/Badly Tuned/Misunderstood

Security testing and auditing tools, by their nature, have to be flexible and able to work in most environments and at various levels of paranoia. Because of this, if they are not configured and interpreted with the specifics of your application in mind they will often find a large number of issues, of which the majority are noise that should be ignored until the more important issues are fixed. If you have a serious, unauthenticated, SQL injection that exposes plain-text credit card and payment details, you probably shouldn’t a moment’s thought stressing about whether your website allows 4 or 5 failed logins before locking an account.

Lack of Developer Security Awareness

Developers are human (at least in my experience!), and have all the usual foibles of humanity. They are affected by business pressures to release first and fix bugs later, with the result that security bugs may be de-prioritized down as “no-one will find that” and so “later” never comes. Developers also are often taught about security as an addition rather than a core concept. For instance, when I was learning programming, I was first taught to construct SQL strings and verbatim webpage output and only much later to use parameterized queries and HTML encoding. As a result, even though I know better, I sometimes find myself falling into bad practices that could introduce SQL injection or cross-site scripting, as the practices that introduce these threats come more naturally to me than the secure equivalents.

Threats and Technologies have Evolved Since the Application was Designed/Deployed/Developed

To make it even harder to manage security, many legacy applications are developed in old technologies which are either unaware of security issues, have no way of dealing with them, or both. For instance, while SQL injection has been known about for around 15 years, and cross-site scripting a little less than that, some are far more recent, such as clickjacking and CSS history stealing.

When an application was developed without awareness of a threat, it is often more vulnerable to it, and when it was built on a technology that was less mature in approaching the threat remediating the issues can be far more difficult. For instance, try remediating SQL injection in a legacy ASP application by changing queries from string concatenation to parameterized queries (ADODB objects aren’t exactly elegant to use!).

Dealing with issues

Once you have found issues, then comes the daunting task of prioritizing, managing, and preventing their reoccurrence. This is the part that can bring the shock, and the part that can require the most care, as this is a task in managing complexity.

The response to issues requires not only looking at what you have found previously, but also what you have to do, and where you want to go. Breaking this down:

  1. Understand the Past – Deal with existing issues
  2. Manage the Present – Remedy old issues, prevent introduction of new issues where possible
  3.  Prepare for the Future – Expect new threats to arise

Understand the Past – Deal with Existing Issues

When dealing with security reports, it is important to always be psychologically and organizationally prepared for what you find. As already discussed, this is often unpleasant and the first reactions can lead to dangerous behaviors such as overreaction (“fire the person responsible”) or disillusionment (“we couldn’t possibly fix all that!”). The initial results may be frightening, but flight is not an option, so you need to fight.

To understand what you have in front of you, and to react appropriately, it is imperative that the person interpreting the results understands the tools used to develop the application; the threats surrounding the application; and the security tool and its results. If your organization is not confident in this ability, consider getting outside help or consultants (such as Neohapsis) in to explain the background and context of your findings.

 Manage the present – Remedy old issues, prevent introduction of new issues where possible

Much like any software bug or defect, once you have an idea of what your overall results mean you should start making sense of them. This can be greatly aided through the use of a system (such as Neohapsis Security Manager) which can take vulnerability data from a large number of sources and track issues across time in a similar way to a bug tracker.

Issues found should then be dealt with in order of the threat they present to your application and organization. We have often observed a tendency to go for the vulnerabilities labeled as “critical” by a tool, irrespective of their meaning in the context of your business and application. A SQL injection bug in your administration interface that is only accessible by trusted users is probably a lot less serious than a logic flaw that allows users to order items and modify the price communicated and charged to zero.

Also, if required, your organization should rapidly institute training and awareness programs so that no more avoidable issues are introduced. This can be aided by integrating security testing into your QA and pre-production testing.

 Prepare for the future – Expect new threats to arise

Nevertheless, even if you do everything right, and even if your developers do not introduce any avoidable vulnerabilities, new issues will probably be found as the threats evolve. To detect these, you need to regularly have security tests performed (both human and automated), keep up with the security state of the technologies in use, and have plans in place to deal with any new issues that are found.


It is not unusual to find a frightening degree of insecurity when you first bring your applications into the world of security testing, but diving back to hide is not prudent. Utilizing the right experience and tools can turn being afraid of your own shadow into being prepared for the changes to come. After all, if the cloud isn’t on the horizon for your company then you are probably already immersed in it.