Tag: security

Forget eliminating risk

We can’t eliminate risk, but we should manage it recommends Huawei’s chief security officer

“How are you going to manage, not stop, risk?” Asked John Suffolk, the Global Cyber Security & Privacy Officer of Huawei Technologies at the company’s ICT roadshow in Sydney today.

Suffolk’s message is one that should be heeded by all business owners, managers and executives in areas more than just IT security.

One of the conceits of the late Twentieth Century management philosophies is that risk could be managed out of business, partly through technology but mainly through legalisms that attempted to push liabilities onto suppliers, contractors, resellers and customers.

That philosophy still holds true in many organisations today, particularly government agencies, and it costs them dearly.

In truth, business is risky and trying to eliminate risk is a fool’s errand. How it’s managed is the real test for leaders.

Trust, security and the internet of things

It may prove impossible to secure the Internet of Things. If so, we’re going to have to develop new trust mechanisms.

I’ve spent the last week in Las Vegas attending the Black Hat and DefCon security conferences. Among much of the discussion about protecting oneself against the misuse of technology, one thing that stood out was the focus on the Internet of Things.

Listening to some of the discussions and speaking to various people, it’s increasingly clear the consensus is the IoT is effectively unsecurable – the range of devices connected to the internet is just too great to be protected.

Compounding the problem are the plethora of poorly designed devices where security is, at best, a vague afterthought along with an older generation of equipment that was never intended to be connected to the public facing internet.

Given many of these devices are going to be critical to business and individual lifestyles, their reliability and quality of the data gathered by them is going to increasingly come into question and the systems that rely upon them are going to need ways to validate the information they receive.

Perhaps this is where machine learning and artificial intelligence are going to be valuable in watching for anomalies in the information and flagging where problems are happening within networks.

As those networks become more essential to society, we’re going to have build more  redundancy and robustness into our systems, the key component though may be trust.

Enemies of the state

Governments around the world are resorting to common malware tools to harass and watch dissidents warns the Electronic Frontier Foundation

One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.

At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.

In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.

The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.

Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.

For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.

Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.

Galperin and Quintin have three conclusions from examining these attacks.

  • Attacks don’t need to be sophisticated to work
  • None of this research is sexy
  • The tools and actors are not sophisticated

While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.

As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.

We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.

Attack of the killer drones

In the age of drones it’s going to take more than fences to keep out today’s technologically savvy trespassers.

We’ve heard much about the benefits of fun about drones – remote control aircraft – but what about the security and safety issues of the device. At the Black Hat Security conference today Jeff Melrose of the Yokogawa industrial controls company described the risks posed when bad people use these devices.

With typical consumer drones having a range of up to five kilometers the idea of an attacker needing to be physically close to their target no longers applies. A drone, as Melrose points out, can  can tailgate workers easier than people and even navigate within offices.

Fences are no barrier as Melrose showed with a camera equipped drone being able to fly up to valve within a gas field and then read its meter. The drone doesn’t even need to have to make it back, it could be landed on a roof where it quietly record its surroundings for weeks.

Put more than a camera on a drone, say a wireless packet sniffer or a jamming device and the possibilities for mischief are endless. Melrose illustrated this by starting his presentation with a video of The Killer Drone, a flying chainsaw developed by a pair of Finnish farmers.

Scarier still, was Melrose demonstration of the ‘target tracking’ technology included on the latest consumer drones by chasing one of his research assistants across a lawn. Despite the assistant’s best efforts to escape, the aircraft was able to follow her.

Despite the scary aspects of drone spying, vandalism and harassment the devices aren’t invulnerable. The two Finnish farmers had their drone brought down by a balloon and all the risks – from chainsaws to signal jammers – that drones present they themselves are vulnerable to.

Melrose’s demonstration shows how the physical security world is changing a drones become commonplace. Fences, padlocks and ‘keep out’ signs are not enough to keep today’s generation of technologically savvy trespassers.

Jeff Melrose’s presentation was a thought provoking view of how the threat landscape is changing and that risks evolve with technology.

Paul travelled to Las Vegas as a guest of Nuix

Crowdsourcing the security world

Crowdsourcing security testing is proving to be a winning business

Following the success of their Hack the Pentagon project, the US Department of Defense is to extend the project across its network.

Run over four weeks earlier this year, the pilot program reportedly generated t138 unique bug reports and paid out $71,200 to hackers.

The company running the pilot, Hacker One, is one of a group of companies organising bounty hunts for the hacking community.

Casey Ellis, the CEO of competing service Bugcrowd, describes his business as being “essential a community of thirty thousand hackers from around the world.”

“The whole idea is to identify where the vulnerabilities are discovered and fixed before the bad guys,” he says. “your guys who you are paying by the hour are plenty smart but they are competing with a crowd of bad guys who think creatively.”

Ellis explained how services like Bugcrowd allow clients like the US Department of Defense to manage the risk and administrative aspects of running a security competition, making it easier for large organisations to run crowdsourced projects like this.

Much has been written about crowdsourcing but it’s commercial fields like security testing where tapping the wisdom of the community really pays off. For some consulting firms, these services could turn out to be real threats.

The benefits of being public

Both the public cloud and a publicly listed company are good things for a business says Netsuite’s Zac Nelson.

Both the public cloud and a publicly listed company are good things for a business says Netsuite’s Zac Nelson.

“Managing a public company is a great discipline and in some ways gives us an advantage over non-public company who don’t have to have discipline and make good investments,” says Zac Nelson, the CEO of Netsuite.

Nelson was talking to Decoding the New Economy yesterday at the annual Suiteworld conference, Netsuite’s annual gathering in San Jose.

The CEO’s comments are in contrast to a common view that being publicly listed company distracts a company’s management from focusing on long term objectives, a sentiment Nelson rejects.

“In terms of managing a public company I think it’s an important discipline, I think a lot of people are opposed to these SOX (Sarbanes-Oxley) rules but when I look at these rules I think they are just common sense. Are you managing your business right? You want to have control of your business so you aren’t blindsided.”

Probably the biggest advocate of taking companies private is Michael Dell who took his eponymous business off the markets three years ago and is now looking at doing the same thing with EMC in what will be the biggest IT merger in history.

Dell going private

Nelson doesn’t think Dell going private was a mistake though, “I saw Larry Ellison say it was one of the greatest business moves in the history of man, I’ll agree with Larry – he’s usually right on that stuff,” he laughed.

“The thing I see Dell doing that I understand is they are giving their smaller division more autonomy. Dell Boomi is going back to being just Boomi and Secureworks just went public. Certainly from a structural standpoint and business model innovation that makes sense and it’s what I understand.”

As a public company, Netsuite does come under scrutiny and one of the criticisms is that it continues to post losses, something that Nelson puts down to the treatment of stock options. In the last earnings report, the company claimed capitalising stock options added $30 million in costs and not including them would see the company reporting an eight million dollar profit last quarter.

“We’re cash flow positive, we generate over $140 million in cash,” Nelson says. “People are happy with it, we’re still investing. What we’re investing in this year is different to the past, we’re investing in services to enable our customers to invest in product.”

Integrating the stack

One of the advantages Nelson sees that cloud based companies like his have are integrated systems, “the client server world created this perspective that dis-integrated systems actually work – you have Windows, you have third-party apps – but what really works well are integrated systems.” he says. “Look at the most common system you guys use, called Apple, it’s an integrated end-to-end system. Same with Amazon, that’s what we’ve built.”

“The detour we took in the client-server world is still being taken in the software world, a lot of software people believe you can compile this stuff and it will magically work. No, it doesn’t. Integrated systems work better.”

Securing the cloud

One area he specifically sees where cloud services have an advantage in being integrated is with security, “a problem that large enterprises have that we to some degree don’t have is we have one system, we have five data centers. You look at some of these large enterprises and some of them don’t even know where some of their data centres are. How on earth do you secure that environment? It’s not a product problem, it’s a process and IT management problem.”

Nelson’s comments on security are a swipe at competitors like SAP and Oracle who are often criticised for having disparate systems.

With Suiteworld moving to Las Vegas next year, it will be interesting to see who’s taking bets against cloud services like Netsuite. Certainly with salesmen like Zac Nelson, they’re able to tell a good story. The key though is to show some profits in the longer run.

Paul travelled to Suiteworld in San Jose as a guest of Netsuite.

 

Probing the weakest links of the banking system

The Bangladeshi bank hack was a lucky escape but it is an early warning about securing our networks.

The breach of the Bangladeshi banking network has been shocking on a number of levels, not least for the allegations the institutions were using second hand network equipment with no security precautions.

Fortunately for the Bangladesh financial system the hackers could spell and so only got away with a fraction of what they could have.

Now there are claims the SWIFT international funds transfer system may have been compromised by the breach, which shows the fragility of global networks and how they are only as strong as the weakest link.

As the growth of the internet shows, it’s almost impossible to build a totally secure global communications network. As connected devices, intelligent systems and algorithms become integral parts of our lives, trusting information is going to become even more critical.

The Bangladeshi bank hack was a lucky escape but it is an early warning about securing our networks.

Update: It appears the hackers were successful in getting malware onto the network according to Reuters but, like their main efforts, were somewhat crude and easily detected. One wonders how many sophisticated bad actors have quietly exploited these weaknesses.

Reaping the security dividend

Digital disruption is driving boards and executives into realising the value and importance of cyber security, Cisco claims.

Boards and executives have finally got the message about security John Stewart, Chief Security and Trust Officer at Cisco.

For most of the computer era security has been seen as an inhibiter to innovation and speed to market, but now with most businesses finding they face a three year time frame to transform in face of digital disruption Stewart says corporate managments now see security of their products as being a valued feature.

Stewart bases his view on an online survey, Cybersecurity as a Growth Advantage, where Cisco polled 1,014 senior executives with extensive cybersecurity responsibilities in 10 countries and 11 in-depth interviews with senior executives and cybersecurity experts.

From this, Cisco found a third of businesses now sees security as being a competitive advantage.

Digital disruption drives the shift

Stewart puts this down to boards and senior executives realising how widespread digital disruption is, “it’s highly unlikely Weight Watchers saw the disruption coming from Fitbit,” he muses. “In fact it’s hard to see how anyone could have seen that coming.”

As a consequence of these widespread and often unexpected disruptions, corporate leaders are trying to shore up their existing positions against unforeseen competitors by shifting to digital platforms as quickly as they can.

“We have to do digital and if we are going to do digital we have to have strong cybersecurity controls,” says Stewart in explaining why cybersecurity is an important part of this strategy.

Security as a cornerstone

“By making cybersecurity a cornerstone of their businesses, security-led digital organizations are able to innovate faster and more effectively, because they have significantly greater confidence in the security of their digital capabilities,” Stewart says.

Certainly managers are worried about the risks of going digital with Cisco reporting many businesses have put projects on hold due to concerns about security risks, “a lack of cybersecurity strategy can cripple innovation and slow business, because it can hinder development of digital offerings and business models.”

According to Cisco’s findings, seventy-one percent of executives said that concerns over cybersecurity are impeding innovation in their organizations. Thirty-nine percent of executives stated that they had halted mission-critical initiatives due to cybersecurity issues.

Encouraging moves

While the possibility that corporate leaders are taking cyber security seriously is encouraging, that change is yet to be seen in the marketplace, particularly in the consumer Internet of Things market where being first trumps security, design considerations or even basic safety.

The real test for how important cybersecurity really is remains in the marketplace — will customers pay more for secure products?

One sense that in Cisco’s marketplace of enterprise customers where security failures could have expensive, embarrassing and possibly catastrophic consequences, customers will pay more for trustworthy devices. In the consumer field it may well be different.

Probably the most important finding from Cisco’s survey is that businesses are now understanding security has to be designed into products and processes rather than being bolted on as an after thought. If that is true, then we have come a long way.

Trade offs in the smart city

Smart cities are a trade off between privacy and utility, what is the balance residents are prepared to accept?

What are the trade offs in the connected city? Last week we had an opportunity to talk with Esmeralda Swartz, Ericsson’s Vice President of Marketing Enterprise and Cloud last week about what policy makers and citizens need to consider.

One of the important issues is security in both the data being collected, “what are the benefits and what is not acceptable?” Esmeralda asks.

In all the conversations this site has had with smart city advocates the topic of open data has been essential, but this raises the issue of security. Something lacking in the Internet of Things.

“Security has to be built into every level,” says Esmeralda who flags that the IoT adds a whole range of new risks.

Along with security, a critical part of a successful connected city is having open data, Esmeralda believes.

“if you start looking at the all the layers that need to be connected then they have to be open,” she says.

Open data is a critical point for smart cities and connected communities, if information isn’t open then it’s hard for an ecosystem to develop or for residents to have confidence their data is being used for their benefit.

For companies like Ericsson, who are trying to establish themselves outside of the traditional telco model, gaining the confidence of communities and their leaders is essential to their smart city strategies.

Much of the smart city movement is based upon solutions looking for problems – a common trait of the IT industry – for vendors like Ericsson to succeed in selling their products it’s essential to prove value to their customers and gain the confidence of communities as they trade off utility for privacy.

Warning against the connected car

The FBI and US Department of Transport warn of risks in the connected car.

A year after hackers demonstrated the risks of connected cars, the FBI and the US Department of Transportation have warned consumers of the risks in internet connected vehicles.

This warning comes as automobile manufacturers are pushing their new breed of motor cars as being software platforms rather than vehicles and calls into question how well security and safety are being designed into their products.

One of the recurrent features of these sort of warnings is how regulators, manufacturers and software designers try to push the risks back onto consumers rather than the companies designing these systems.

Officials said that while not all car hacking incidents result in safety risks, consumers should take the appropriate steps to minimize their own risks.

It’s hard to see what consumers can really do, as most of these systems are ‘black boxes’ protected by strict terms preventing users from seeing, let alone understanding, the software running the vehicles. Customers have to trust the manufacturers to do the right thing.

For the Internet of Things, and connected cars, to be successful they have to deliver value to consumers and have the confidence of the market. Right now many of these features seem to do neither.

 

Bringing cybersecurity into the mainstream

The corporate world is taking security seriously says Cisco’s Chief Security and Trust Officer, John Stewart

“Cybersecurity is out of the dungeon and now selling itself as a business service,” says Cisco’s Chief Security and Trust Officer, John Stewart.

Stewart was discussing his company’s security challenges at a Cisco Live briefing at their Melbourne conference yesterday.

The shift to security as a business service follows the pattern of computerisation in business believes Stewart, “at first businesses said you can’t keep important documents on computers, then they said you could only keep important data on computers”

For Stewart, the fact c-level execs recognise the importance of cybersecurity is a positive sign that indicates organisations are taking IT and communications security seriously.

When asked what keeps him up at night, Stewart said it was worries about infrastructure security, the Ukrainian power network’s experience after an attack from a seriously motivated group of hackers indicates just how serious this is.

Interestingly Stewart remains focused on the risks of security breaches, as the Internet of Things rolls out it may well be the integrity of data streams becomes a far greater focus for system administrators and security officers.

Paul travelled to Cisco Live in Melbourne as a guest of Cisco

Thinking differently about Cyber Security

We need to think differently about cyber security in order to protect our networks says a former British intelligence officer.

“I get quite frustrated with the cybersecurity industry” says Andy France, Deputy Director of Cyber Defence Operations at British Intelligence Agency GCHQ. “We have to think differently.”

France was speaking at the Telstra Cyber Security Forum at the company’s Sydney experience centre yesterday where he outlined how organisations are rethinking about protecting their data.

“What we haven’t realised is just like the Bronze Age, the Stone Age, the Industrial Age and the Internet Age, we have to think differently about what that means to in terms of security and privacy. We have to think differently about how we build systems.”

The biggest problem France sees in the industry itself are the lack of skills to build those secure systems, a situation he believes is partly created by the sector’s credentialism gaining certifications is several orders of magnitude more bureaucratic than becoming a fighter pilot.

In contrast the bad guys who France splits into five groups – script kiddies, hacker collectives, crime syndicates, hackers for hire and nation states – have no such concerns about certificates and accreditation.

“You have serial collectors of letters after their names,” he states. “We’re putting an artificial bar against the people with the new thought processes that are going to help us address this problem.”

“It feels like the criteria has been set up to create a nice little market so we can control day rates,” French says, “in a world where we’re screaming out for talent and need people to come along who are interested and challenged by the subject.”

Apart from the trap of credentialism, the real concern for businesses and users should be the integrity of data in France’s opinion. We need to be certain information is accurate, a problem that will be exacerbated as businesses processes are automated around data streams being connected by the Internet of Things.

France suggests three principles should underlie an organisation’s data defences; having systems in place to spot early indications of a problem, obey the five ‘knows’ and understanding your network.

Understanding your network, what France calls the ‘defender’s advantage’, is the most essential task of all for someone protecting their organisation’s data. “Is someone knows your network better than you then that should be a criminal offense,” he states. “To get the defender’s advantage in place you need to understand your network.”

“Technology in itself with not keep you safe.” French says and describes security as being subject to Pareto’s Law where most vulnerabilities are mundane background noise, “we need to have a balance where technology looks after the 80% and we have the people and processes in dealing with the unexpected 20%.”

“It’s certainly not going to get any better,” French warns about the trends for cyber security in 2016. For most companies and system administrators it’s going to be a matter of being alert and having the processes in place to deal with the unexpected.