Book review: You’ll see this message when it is too late

A new book from Professor Josephine Wolff at Rochester Inst. of Technology called You’ll see this message when it is too late is worth reading.  While there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade.

She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers’ motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation.

A lot has been already written on these breaches, but what sets Wolff’s book apart is that she isn’t trying to assign blame but dive into their root causes and link together various IT and corporate policy failures that led to the actual breach.

There is also a lot of discussion about how management is often wrong about these root causes or the path towards mitigation after the breach is discovered. For example, then-South Carolina governor Nikki Haley insisted that if only the IRS had told them to encrypt their stolen tax data, they would have been safe. Wolff then describes what the FBI had to do to fight the Zeus botnet, where its authors registered thousands of domain names in advance of each campaign, generating new ones for each attack. The FBI ended up working with security researchers to figure out the botnet’s algorithms and be able to shut down the domains before they could be used by the attackers. This was back in 2012, when such partnerships between government and private enterprise were rare. This collaboration also happened in 2014 when Sony was hacked.

Another example of management security hubris can be found with the Ashley Madison breach, where its managers touted how secure its data was and how your profiles could be deleted with confidence — both promises were far from the truth as we all later found out.

The significance of some of these attacks weren’t appreciated until much later. For example, the attack on the Dutch registrar DigiNotar’s certificate management eventually led to its bankruptcy. But more importantly, it demonstrated that a small security flaw could have global implications, and undermine overall trust in the Internet and compromise hundreds of thousands of Iranian email accounts. To this day, most Internet users still don’t understand the significance in how these certificates are created and vetted.

Wolff mentions that “finding a way into a computer system to steal data is comparatively easy. Finding a way to monetize that data can be much harder.” Yes, mistakes were made by the breached parties she covers in this book. “But there were also potential defenders who could have stepped in to detect or stop certain stages of these breaches.” This makes the blame game more complex, and shows that we must consider the entire ecosystem and understand where the weak points lie.

Yes, TJ Maxx could have provided stronger encryption for its wireless networks; South Carolina DoR could have used MFA; DigiNotar could have segmented its network more effectively and set up better intrusion prevention policies; Sony could have been tracking exported data from its network; OPM could have encrypted its personnel files; Ashley Madison could have done a better job with protecting its database security and login credentials. But nonetheless, it is still difficult to define who was really responsible for these various breaches. 

For corporate security and IT managers, this book should be required reading.

CSOonline: How to set up a successful digital forensics program

IT and security managers have found themselves increasingly needing to better understand the world of digital forensics. This world has become more important as the probability of being breached continues to approach near-certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.

In this post for CSOonline, I describe the basics behind digital forensics, the kinds of specialized tools that are required, links to appropriate resources to learn more and a checklist of various decisions that you will need to consider if you are going to be more involved in this field. It is not just about understanding the legal consequences of a breach, but also in being properly prepared before a breach occurs. And something that you need to get your head around: lawyers can be your friends in these circumstances.

CSOonline: Top application security tools for 2019

The 2018 Verizon Data Breach Investigations Report says most hacks still happen through breaches of web applications. For this reason, testing and securing applications (from my CSOonline article last month) has become a priority for many organizations. That job is made easier by a growing selection of application security tools. I put together a list of 13 of the best ones available, with descriptions of the situations where they can be most effective. I highlight both commercial and free products. The commercial products very rarely provide list prices and are often bundled with other tools from the vendor with volume or longer-term licensing discounts. Some of the free tools, such as Burp Suite, also have fee-based versions that offer more features. You can review my list in CSOonline here. 

 

 

HID ActivID Authentication Server: A very capable and comprehensive IAM product

If you are looking for a comprehensive identity and access management (IAM) tool that can cover just about any authentication situation and provide ironclad security for your enterprise, you should consider HID Global’s ActivID product line.

Even if you are an IAM specialist, it will take days and probably weeks of effort to get the full constellation of features setup properly and tested for your particular circumstances. There is good news though: you would be hard pressed to find an authentication situation that it doesn’t handle. t has a wide range of tools that can lock down your network, covers a variety of multifactor authentication methods and token form factors (as shown here below), and provides single sign-on (SSO) application protection.

f you are rolling out MFA protection as part of a larger effort to secure your users and logins, then the case for using HID’s product becomes very compelling.

I was hired to take a closer look at their product earlier this year, and came away impressed with the level of thoroughness and comprehensive protective features. You can download my report here and learn more about this tool and what it can do.

CSOonline: What is application security and how to secure your software

Application security is the process of making apps more secure by finding, fixing, and enhancing the security of apps. Much of this happens during the development phase, but it includes tools and methods to protect apps once they are deployed. This is becoming more important as hackers increasingly target applications with their attacks.

In the first of a two-part series for CSOonline, I discuss some of the reasons why you need to secure your apps and the wide variety of specialized tools for securing mobile apps, for network-based apps, and for firewalls designed especially for web applications. Next month, I will recommend some of these products.

HPE Enterprise.nxt blog: 10 security trends to watch for in 2019

This has been quite a year for data breaches, with reports that numerous unsecured Amazon Web Services storage containers were inadvertently made public, a rise in hidden cryptomining malware, and lots of victims continuing to fall for ransomware and other botnet attacks. So, with that context, let’s look at what security trends 2019 could bring and ways to prepare for the coming year. I cover security awareness training, hiding malware in plain sight with fileless and other techniques, the rise of FIDO2 and better cloud security in my story in HPE’s Enterprise.nxt blog.

RSA blog: Everyday we should practice cybersecurity awareness

Yes, just like last October, this month we celebrate National Cybersecurity Awareness Month. So let’s look at what happened in the past year since we last honored this manufactured “holiday.”

We started off 2018 with more than three million records breached by Jason’s Deli, moved into spring with five million records from Saks/Lord&Taylor and 37 million care of Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.

And there are many, many other companies who have been breached that I haven’t even mentioned. The issue is that with security awareness, you are only as good as yesterday’s response. In this post for RSA’s blog, I have several suggestions on ways to make this month more meaningful and actionable for IT managers.

Security Intelligence blog: Is Your Site Protected Against Drupal Security Flaws?

Drupal is a leading open source content management tool that hosts a significant portion of the most popular websites on the internet. If you have not heard about the Drupal security flaws from earlier this year, then you need to take a closer look at what happened and start taking precautions to protect your own installations. You can read my post in IBM’s Security Intelligence blog here.

CSOonline: Lessons learned from the Park Jin Hyok indictment

Last month the US DoJ unsealed this indictment of a North Korean spy Park Jin Hyok that they claim was behind the hacks against Sony and the creation and distribution of Wanna Cry. It is a 170+ page document that was written by Nathan Shields of the FBI’s LA office and shows the careful sequence of forensic analysis they used to figure out how various attacks were conducted. In this post for CSOonline, I talk about some of the implications for IT managers, based on the extensive details described in the indictment.

The legalities of hacking back (presentation)

There is a growing trend in information security to be able to hack back or use various direct measures to attack your attackers. There are several issues:

  • attributing an attack to the right source,
  • understanding the attacker’s intent, and
  • developing the right red team skills.

In this talk given at Secure World St. Louis this month, I will talk about the ways that an enterprise can defend itself, and how to go about this process.