Week 11 – Netflix Stethoscope

On Tuesday, Netflix released their open-source, user led security tool, Stethoscope. From their blog post, Netflix outlined their belief that users are more open to security when it is not forced upon them.

It is an interesting web based tool (that works on mobile). The tool analyzes a user’s device and gives them easy to follow recommendations on securing the device. Things like encryption, screen locks, and OS updates are all topics the tool will offer advice about. It also integrates with existing tools an organization may be using, such as LANDESK. This is great because many organizations could provide this without making large changes to their environment.

This is a excellent tool that Netflix is providing to the community (it is on GitHub). Forcing security on users is tough for everyone. By explaining the needs is a very custom way, users may be more likely to implement the changes requested by the IT team.

I will be spinning Stethoscope up to take it for a test drive over the next week or two. Look for a follow-up post soon!

Week 10 – Aadhaar’s Security Problem

An interesting article popped up on Mashable.com this week about India’s biometric database Aadhaar. The Aadhaar database is India’s method to make up for the lack of birth certificates and other identification of Indian citizens. For many years, according to the article, the majority of people in India did not have birth certificates. To help combat this, the Indian Government designed Aadhaar.

Aadhaar is a biometric database which contains information on 99% of India. This database is used for more than just identification though. The government of India has plans to do away with credit cards, moving to fingerprint based transactions. In addition to being a payment gateway, Aadhaar is also poised to pivot into a digital wallet. India’s citizens will be able to load their health card and driver’s license into an electronic wallet of sorts, removing the need for normal cards.

This sounds great, but the problem is the database has never gone through an assessment or audit process. This, of course, has led to falsified entires into the database. These falsified entries are being used for all types of scams and a complete lack of oversight is leaving the citizens with little to no privacy.

My take – This is why we develop with a security first mindset. Aadhaar is already so big that it will be hard to transition into a more secure platform. If security would have been considered during software development, some of these problems could have been avoided.

Additionally, the government needs to consider routine audits of the database. A risk management strategy would really help the Indian government accelerate their chances of securing Aadhaar. Many identities are at risk if they do not adopt a risk management strategy for this database. A continuous assessment plan should be considered and adopted. This would certainly help with falsified records.

Week 9 – President Trump Fires White House CISO

In a follow-up to my Week 7 post about President Trump using a 5-year old Android phone, he has now decided to fire the CISO that President Obama hired in 2015. TechTarget Senior Reporter, Michael Heller, reports that the President is likely using his private security firm to handle duties until a replacement is hired.

When President Obama hired Cory Louie back in 2015, he wanted to help the White House better understand the risks and threats that they faced. While there was never much publicity about this hire, it is obvious that the former President and his staff felt the need to better protect the White House. I would tend to agree. As stated in my week 7 article, there are no laws dictating what types of technology the President can use, therefore it is easy to see why the President may want a security advisor. It is likely that Louie helped shape the President’s security strategy as well as making recommendations for how the President should use technology.

Frankly, if the President Trump’s private security team is allowing him to use a five year old phone, I have to question whether or not they can guide the White House away from security threats. I believe President Obama made the right decision in hiring a CISO for the White House, and am hopeful that President Trump will hire a replacement.

Week 8 – Super Bowl Security Considerations

As someone without a cable subscription, I was happy to see the NFL and Fox heavily promoting that one would be able to stream the Super Bowl using the Fox Sports Go app. I have seen a similar trend with the NBA offering most of their playoff games via streaming apps.

This is great for cord cutters, but it got me thinking about the security threats faced by the NFL and Fox. According to Business Insider, a Super Bowl commercial costs $5 million this year, up about $200,000 from last year. With streaming becoming a more popular form of consuming media, I would wager that advertisers are hoping for a high number of streamers to view their advertisements as well. Not only that, but streamers provide more analytics than typical cable viewers. With money and data at stake, the NFL and Fox have a vested interest in offering a high-quality stream. Because of that, I am sure attackers are also interested in taking the stream offline.

So while the NFL used to mainly focus on the physical security of their event, now they are going to have to also consider their cyber security strategy. Though I doubt we will ever get to see a breakdown of how the NFL implements this protection, I am sure they have a large team dedicated to minimizing the risk of a stream cutting out. I certainly hope they do, after all I want to see some ridiculous commercials without interruption!

Week 7 – President Trump’s Old Phone

While President Trump has been in the news all week for various Executive Orders, one thing that caught the security community’s attention was a New York Times article. In the article, Maggie Haberman notes that President Trump is still using an “old, unsecured Android phone” even though aides have urged him to give it up.

This is not a new practice, after all President Obama fought to keep his Blackberry clear back in 2009. The difference being President Obama took a new, secure Blackberry. At this point, President Trump has refused to give up his old Android handset.

Lily Newman writes about the inherent risk of President Trump using an old phone (some speculating it might be over five years old) in her article on Wired.com. Newman points out that the risk may not even be attacks against the President. Many applications, Twitter being one of them, constantly track a user’s location – not exactly secure.

My overall take is one of disbelief. Back in 2009 smartphones were relatively new, mainly used for email. There was not a real alternative at the time, so it makes more sense for President Obama to fight for a secure version of his device. Reportedly President Trump has been offered a secure device, but refuses. Furthermore, according to Newman, there are no policies requiring the use of secure devices by a President. This makes no sense from a security standpoint, but reminds me of most organizations that let their senior leaders ignore policy. Business should remember that they are only as strong as their weakest link, hopefully in this case the weakest link is not a five year old Android device.

 

Week 6 – Building a Wall is not Enough

With Donald Trump’s presidency starting on Friday, I felt this week would be a good time to tackle the idea of defense in depth. Trump, as everyone knows, is adamant that his administration will build a wall along the United States and Mexico borders. However, as noted by Lily Newman at Wired.com the wall will likely only cover half of the border. This reminds me of many firewall designs.

Typically a firewall will be deployed at the edge of a network and then various ports will be opened up. Once these ports are opened, organizations start leaving themselves vulnerable to attack. Additionally, many networks are using the M&M strategy – hard on the outside, soft on the inside. If an attacker makes it past the edge, many networks are ripe for the taking.

Organizations need to go beyond a wall if they want to stop the problem. Companies should evaluate adding security to each piece of their infrastructure. End points should have protection, email should be monitored, and web traffic needs to be classified. More mature organizations can also look at monitoring network traffic for anomalies and enforcing based on patterns.

Taking extra steps beyond the firewall can help a company build a in-depth defense strategy, helping them stop would be attackers.

Week 5 – Best Buy and the FBI

Reports are fluttering around the internet that in several instances, the FBI has used Best Buy Geek Squad employees as informants. Paying the employees a $500 finder’s fee each time they turn in a computer.

R. Scott Moxley wrote about a court case in which this activity was revealed. While Best Buy has denied the activity, claiming they do not purposefully search devices, the court proceeding paint a different picture. According to the article posted by Moxley, Best Buy staffed an informant on nearly every shift starting in 2007.

This is concerning for privacy in general. While the employees seem to be uncovering illegal material, what else are they viewing without the consent of their customers? Is it true that my tax information, banking info, etc. are all open game for Geek Squad employees should I take a device there for repair?

Additionally, I would question whether this type of search is even legal? In the article, the files found were in ‘unallocated trash space.’ Unallocated trash space certainly would not constitute as plain view.

For the average user, I would never recommend they take their device to a repair shop of any type. The only exception to this would be the Apple Store, simply because Apple products can rarely be repaired. Users who cannot fix their own computer should look to a trusted friend for help.

Week 4 – When a Report Isn’t Enough

Earlier this week, the Feds released a report asserting the Russian Government had a hand in the United States 2016 Election. As concerning as this is, some security skeptics feel that the report did not do enough, or say enough, to prove Russian involvement. Andy Greenberg’s Wired.com article quotes one security professional as  being upset more technical details were not released.

I believe the US Government is in a tough position. A company would never release the full details of a breach, some items are always going to remain classified. Is it wrong for the government to hold back details? I am not sure. Because this report is dealing with the outcome of an election, should all the details be released? If it turns out that this is true, and the election was altered by Russia, do we start over with the election?

I wager that we will never know the full details of this attack, or how it influenced our election. With just a couple weeks until inauguration day, my guess is that the report will stay as is.

 

Week 3 – Another Day, Another Yahoo Attack

Earlier this week, Brian Krebs posted a story about another hack affecting Yahoo users. Last time it was 500 million users, this time Yahoo believes that 1 billion users were affected. On top of that, the attack happened in 2013 and the security team still has not determined where access was gained.

It is scary to think that many attacks go unnoticed for so long. If it took Yahoo three years to determine they were hacked, how long will it take a small enterprise? When I wrote about small businesses last week I mentioned that they would be wise to consolidate their security platforms. I still believe that is true, but my concern now shifts to the third parties these small businesses are using.

Small businesses should be careful with where they store customer data. How many small businesses are using a Yahoo account somewhere on their network? If they were using a Yahoo account to conduct business, it is safe to assume that the attack reaches farther than Yahoo’s user base. Customer information for many businesses could be exposed because of this breach.

Yahoo and other companies who offer free services must put security first. Security should be a part of every conversation and brought in early. If the security team was established early on, perhaps this could have been avoided.

Small Businesses Can’t Keep Up with Security Trends

Small to medium businesses, let’s say under 1,000 employees, may be in the toughest position as we enter a time where attackers are more sophisticated than ever. In speaking with fifty or so leaders in the past few months I have heard a recurring theme – leaders are aware of the threats they may face, but are paralyzed by complexity and a lack of resources. What can we do as security practitioners to help these lean businesses lower their security risk?

I believe that it is time for consolidation within the security industry. Today, the average company interacts with 32 security vendors (Kerravala, 2016). That is a staggering amount of vendors, and even if the number was reduced for smaller customers it still would not be sustainable.

How many businesses run lean, with one or two IT staff members? (hint: A lot) Are we, in the security industry, doing the right thing by forcing companies to choose multiple vendors or designing security architectures based on disparate technologies?

As we move into a new era of cybersecurity, small to medium businesses have two options. They can either outsource their security efforts or consolidate the number of vendors they use. An outsourcing effort would likely leave the business more secure, but outsourcing can come with high operational expenses. I think vendor consolidation is the better approach. A small IT team can manage one or two vendors, especially if one is an existing security vendor.

Companies like Checkpoint, Palo Alto, and Cisco are all offering security products in different segments of the security industry. Palo Alto offers web, firewall, and others, as does Cisco. A small business could theoretically focus all of their security efforts with Cisco or Palo Alto and have a fairly robust security strategy.

Company leaders should not feel paralyzed by their security strategy. Vendor consolidation will help small to medium businesses get the most out of their IT teams and security budget. An expensive alternative could be to outsource the security practice to a specialized vendor. The vendor could then handle the complexity. Those of us in the security industry have a responsibility to help businesses design architectures that are secure, not a burden.

Reference:

Kerravala, Z. (2016, April 22). Cisco well positioned to dominate cybersecurity market. Retrieved December 07, 2016, from http://www.networkworld.com/article/3109562/security/cisco-well-positioned-to-dominate-cybersecurity-market.html