Innovation Matters: Ransomware "Kill Switch"
15/09/23 13:13
“Wicked” Business Problem:
Organizations running flat networks are especially vulnerable to high-impact attacks that rely on lateral movement like ransomware.
Innovative Approach:
The ability to move from a flat network to a layer-3 isolated (micro-segmentation) network (IT/OT) in a matter of hours with NO downtime or 3rd party agent software.
Vetted Solution:
Airgap’s elegant approach is truly innovative and worthy of consideration. Using DHCP to build a layer-3 overlay network, they can transform a legacy network into a virtual Purdue compliant environment. Prebuilt logic provides the ability to prevent ransomware propagation and introduces a “kill switch”, which can be activated in the case of a ransomware outbreak.
Call To Action:
Educate yourself on Airgap's innovative approach to layer-3 isolation and segmentation.
Facilitated Innovation & Structured Choice
15/09/23 12:44
What is it?
· A field-proven methodology that identifies self-funding business cases and drives transformational change. I have used this method successfully in my practice for many years now.
How does it work?
· Facilitates a dialog with key stakeholders who can affect organizational change.
· Aligns the organization’s mission with stakeholder capabilities (known & latent).
· Determines what MUST be true in order for the organization to achieve its mission objectives.
· Optimizes value across diverse stakeholder communities.
· Leverages rapid prototyping to Fail/Succeed Fast as measured against key proof points.
· Delivers in 30-90 Day Proof of Value (PoV) sprints.
· Produces a pipeline of Innovation Candidates to support a transformation plan of record.
· Populates an organization specific Curated Service Catalog that is fit for purpose and provides choice
· Institutionalizes a bespoke service selection methodology that ensures the Optimal Choice is made to capture Maximum Value as defined by the relevant stakeholders.
Here is an example of a Curated Service Catalog for the manufacturing sector:
So what?
By distilling the world of possibilities down to business-friendly options, organizations can realize more value faster and at scale. I plan on sharing some of the most interesting, timely and relevant candidates via a new blog series called Innovation Matters.
· A field-proven methodology that identifies self-funding business cases and drives transformational change. I have used this method successfully in my practice for many years now.
How does it work?
· Facilitates a dialog with key stakeholders who can affect organizational change.
· Aligns the organization’s mission with stakeholder capabilities (known & latent).
· Determines what MUST be true in order for the organization to achieve its mission objectives.
· Optimizes value across diverse stakeholder communities.
· Leverages rapid prototyping to Fail/Succeed Fast as measured against key proof points.
· Delivers in 30-90 Day Proof of Value (PoV) sprints.
· Produces a pipeline of Innovation Candidates to support a transformation plan of record.
· Populates an organization specific Curated Service Catalog that is fit for purpose and provides choice
· Institutionalizes a bespoke service selection methodology that ensures the Optimal Choice is made to capture Maximum Value as defined by the relevant stakeholders.
Here is an example of a Curated Service Catalog for the manufacturing sector:
So what?
By distilling the world of possibilities down to business-friendly options, organizations can realize more value faster and at scale. I plan on sharing some of the most interesting, timely and relevant candidates via a new blog series called Innovation Matters.
Point of Origin Hacking (POOH)
05/09/23 07:59
Historically, infosec risk managers have stressed only focusing on the most likely and impactful threats. However, this practice often misses “obvious” vulnerabilities that lead to catastrophic failure. When realized, these threats are often branded as “black swan” events, which some believe could never be predicted. This lack of imagination is no longer acceptable, given advances in modeling and simulation capabilities.
Rather, novel, forward thinking and expanded threat catalogs need to be developed and adopted. This is the fundamental tenant behind POOH (Point of Origin Hacking). The concept goes like this; If you have a properly motivated adversary, they will (eventually) develop or obtain a (theoretical) capability that they will use against you. So, build systems that take into account theoretical vulnerabilities, as they will likely become practical in the fullness of time.
Rather, novel, forward thinking and expanded threat catalogs need to be developed and adopted. This is the fundamental tenant behind POOH (Point of Origin Hacking). The concept goes like this; If you have a properly motivated adversary, they will (eventually) develop or obtain a (theoretical) capability that they will use against you. So, build systems that take into account theoretical vulnerabilities, as they will likely become practical in the fullness of time.
Example: In a post quantum world, many encryption algorithms will be worthless as a protection mechanism. Knowing this, organizations should choose algorithms that are post quantum secure.
So the next time someone tells you that an alien invasion, zombie apocalypse and giant meteors are out of scope for your threat catalog, just remind them that those items look a lot like volcanoes, pandemics, unprovoked war, trucker strikes, train derailments, global warming...Plan accordingly, because you never see the one that gets you.
Would you be embarrassed by your password…or worse?
11/07/23 11:16
That was the nagging question in my head after hosting last month’s security summit. It was seeded by a conversation with Britton White, a security practitioner, who is trying to raise awareness of the very real threat posed by infostealers like Raccoon, Vidar and RedLine. Britton shared details of several incidents (use cases) leading to exposure of extremely sensitive information, including diagnostic medical records, like exam pictures. We also discussed the disappearing lines between work, home and “play” in a post Covid world. What I found most interesting about these incidents, were the reactions of the victims. They ranged from shocked disbelief to denial and everything in between.
Infostealers are a type of malware sold on underground forums and criminal marketplaces. Infostealers are part of a fascinating and growing ecosystem. Victims can be infected via phishing, compromised websites and interaction with infected files. Once infected, the victim’s data is exfiltrated, packaged and sold. While the data stolen can vary, of special interest are authentication credentials like user names and passwords. An excellent primer on infostealers can be found here.
A common theme in many of the use cases, involve organization’s system credentials being compromised by infostealers installed on personal computing devices. Since many organizations, allow users to access organizational systems from unmanaged devices, those systems can become collateral damage from an infostealer attack. Key personnel with privileged system access pose a special risk to organizations. Those users have a responsibility to alert their organizations of a breach, however, they are typically the last to learn they have been compromised!
In a recent incident, I observed an interesting variant of the above scenario. Corporate security personnel were made aware of an infostealer incident involving one of their employees. It appeared the victim had been accessing corporate systems from an impacted personal computer. The corporate systems were protected via multi-factor authentication, but the victim’s personal accounts were not. While the employee had an obligation to report the breach, that obligation did not necessarily apply to their employer. In fact, the corporate security team did not have a clear policy or procedure in place to deal with this incident. Therefore, they had to engage with HR, legal and compliance before finding a way forward.
Of course, the right thing to do is to help the victim, however, the specific intelligence and how it is acquired matters. Does it contain stolen or doxed data? Does it fall under PII protections? Should corporations monitor their employee’s activity while not working? Are there any liability pitfalls? This type of intelligence will most assuredly contain compromised passwords associated with the victim. Those “secrets” can NEVER be unseen. Let that sink in. Best case, the victim is shown to use strong passwords but was still compromised. Perhaps they use simple easily guessed passwords that frame them as lazy or ignorant. Or worse, what if the victim’s password is a racial slur, sexually suggestive or otherwise prohibited by company policy? Malware, the gift that keeps on giving.
What does a reasonable response to the growing threat of infostealers look like? Consider these four simple practices that could limit the negative impact of an infostealer attack:
1. Don’t do company business on personal systems
2. Don’t use password vaults
3. Don’t save credentials in your browsers
4. Don’t use embarrassing passwords
Unfortunately, convenience is the antithesis of security, safety and privacy. Please be thoughtful when finding your balance.
Infostealers are a type of malware sold on underground forums and criminal marketplaces. Infostealers are part of a fascinating and growing ecosystem. Victims can be infected via phishing, compromised websites and interaction with infected files. Once infected, the victim’s data is exfiltrated, packaged and sold. While the data stolen can vary, of special interest are authentication credentials like user names and passwords. An excellent primer on infostealers can be found here.
A common theme in many of the use cases, involve organization’s system credentials being compromised by infostealers installed on personal computing devices. Since many organizations, allow users to access organizational systems from unmanaged devices, those systems can become collateral damage from an infostealer attack. Key personnel with privileged system access pose a special risk to organizations. Those users have a responsibility to alert their organizations of a breach, however, they are typically the last to learn they have been compromised!
In a recent incident, I observed an interesting variant of the above scenario. Corporate security personnel were made aware of an infostealer incident involving one of their employees. It appeared the victim had been accessing corporate systems from an impacted personal computer. The corporate systems were protected via multi-factor authentication, but the victim’s personal accounts were not. While the employee had an obligation to report the breach, that obligation did not necessarily apply to their employer. In fact, the corporate security team did not have a clear policy or procedure in place to deal with this incident. Therefore, they had to engage with HR, legal and compliance before finding a way forward.
Of course, the right thing to do is to help the victim, however, the specific intelligence and how it is acquired matters. Does it contain stolen or doxed data? Does it fall under PII protections? Should corporations monitor their employee’s activity while not working? Are there any liability pitfalls? This type of intelligence will most assuredly contain compromised passwords associated with the victim. Those “secrets” can NEVER be unseen. Let that sink in. Best case, the victim is shown to use strong passwords but was still compromised. Perhaps they use simple easily guessed passwords that frame them as lazy or ignorant. Or worse, what if the victim’s password is a racial slur, sexually suggestive or otherwise prohibited by company policy? Malware, the gift that keeps on giving.
What does a reasonable response to the growing threat of infostealers look like? Consider these four simple practices that could limit the negative impact of an infostealer attack:
1. Don’t do company business on personal systems
2. Don’t use password vaults
3. Don’t save credentials in your browsers
4. Don’t use embarrassing passwords
Unfortunately, convenience is the antithesis of security, safety and privacy. Please be thoughtful when finding your balance.
State Of The (Snake Oil) Business: A Manifesto For Change
24/04/23 10:09
Ahead of this year’s RSA Conference I have spent some cycles thinking about how far our industry has come, or more precisely, how little we have accomplished. The world is not a safer place, our systems are more complex than ever and threat actors continue to win while defenders burn out.
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!
The modern cyber security industry arguable started in the early nineties with the advent of the WWW. As organizations and individuals rushed to get “online”, little regard was given to basic security principles like Confidentiality, Integrity and Availability. Very few people understood how the underlying technology worked or more importantly how it could fail or be corrupted. The quest for subscribers and fear of missing out fueled exponential growth. “Houston, we have a problem.”, but that realization was too late, the proverbial genie was out of the bottle. Never fear, we will use technology to “fix” technology. Passwords, AV, Firewalls, A/V and IDS to the rescue…
I was one of the many who believed technology could save us from ourselves. In 1998 I started socializing a methodology I developed called AFIRM (Active Forensic Intelligent Response Method). The following year I published a reference architecture & platform called SANE (Security Adaptive Network Environment), which was originally designed for the Air Force SBIR program. Not withstanding my cringe-worthy obsession with acronyms, lack of an accepted taxonomy and a strong conviction that Y2K civil litigation would be a compelling event, it occurs to me that SANE is still relevant.
25 years later, the market has caught up with the vision. A SANE platform is achievable. We could argue some of the nuances, but it effectively represents the capabilities organizations need to actively achieve a business reasonable security posture today. However, between the FUD, Silver Bullets and the “Illusion of Choice” our industry is not driving positive change but expanding the status quo. How can we break this cycle? More swag bags, back-to-back meetings to justify airfare, copious badge scanning to feed next quarter’s cold calls or dueling parties where the vendors outnumber the clients…I think not.
Rather, consider adopting these simple principles when considering the how you spend your limited resources:
- Know what matters most. Understand your organization’s mission, stakeholders and risk register. Effective governance is more important than technology. #CultureCounts
- Don’t be in a rush to buy more technology. If your tech is not “optionally transparent” it can easily become a liability. Leverage the latent capabilities present in your current estate. Consider removing two technologies for every new technology brought into your environment. #OptimizeValue
- Humans matter. Make it easy to do the right thing and hard to do the wrong thing. #HumanFirewall
- Automate whenever possible. Humans only need to be involved when discretion is required. Automate everything else. However, beware of automating a broken business process. That is a sure-fire way to fail at scale. #FailAtScale
- Adopt meaningful metrics and score your decisions accordingly. Learn from your mistakes as they are often very expensive. Treat them as an investment not as an embarrassment. #MeaningfulMetrics
This is my call to action and request to our industry leaders as they meet this week in San Francisco. Let’s build SANE systems and protect what matters most!