Bruce Schneier keynote from the ISF conference

I recently attended, and presented at the ISF annual congress in Berlin.  One of the highlights of the conference was the keynote talk from Bruce Schneier.

The talk focussed on some of the current developments in IT, the internet, machine learning, IoT (Internet of Things), and what these may mean for IT security and basically everyone’s safety and security.

My notes from the talk are below, they are relatively rough, but I thought worth sharing as there are some great points and things to think about!

Internet now Senses, Sees and Acts – definition of a Robot?

Does this mean we are building a world size robot?

It’s a distributed robot…

Combination of;

Mobile, cloud, persistent computing, big data, IoT

And Autonomy..

 

This means – Computer security becomes Everything security…!

That means that all the things we understand from patching and vulnerabilities to security vs. complexity to network effects become relevant to everyone / everything.

As computers become more integrated with real life – medical, cars etc.  We likely move from confidentiality being the most important part of the security ‘triad’ to safety..

How do we deal with things like;

Algorithms that choose where police go or who gets parole?

How can we allow police to safely stop a car, vs. criminals being able to stop any car?

 

Tech / security arms races;

  • Spam
  • Click jacking
  • Ad blocking
  • Credit card fraud
  • ATM fraud

 

5 trends affect this security arms race (currently, may change in the longer term);

  1. Attack is easier than defence
    1. For a bunch of reasons, like complexity
  2. New vulnerabilities in the interconnections
    1. The more you connect things, the more vulnerabilities in one thing can affect another
    2. E.g. recent massive DDoS – was from cameras etc. – so vulnerabilities in these led to massive impacts elsewhere
  3. More critical systems mean more power to attackers
    1. Internet allows criminals to scale
    2. Allows attacks from anywhere / everywhere – e.g. I live in the UK, so don’t care about burglars living in Germany.  But with connected systems I can be attacked from anywhere.
    3. You don’t have to worry about the average attacker, you always have to worry about the best, as the best guy will be the one writing the tools..
  4. The economics of computer security don’t trickle down to the Internet of Things
    1. E.g. how do we secure and patch the billions of very low value devices
    2. Computers and phones – updated all the time, staff at MS etc employed just to patch
    3. Low cost embedded systems – written somewhere, dev / company moves on.  Some can’t even be patched.  So the only way to patch is to throw away and replace.  Is this a viable patch strategy?
    4. We also regularly replace things like phones and computers – this provides improved security and ensures updates.
    5. IoT stuff isn’t like this.  How often do you replace your DVR, your home thermostat etc?? 5 years, 10 years? Never??
    6. Owner and producer of these devices don’t care about the issues.
  5. Copy write laws, make it very hard to do security research on these devices
    1. It can be illegal to circumvent the security of these devices, even for research.
    2. Criminals don’t care, obviously.
    3. Criminals will do the ‘research’ and will hack the devices.
    4. Researchers likely will not do the work if they will be threatened and unable to publish the research..
    5. How will we ever improve?

How to fix this;

  • Do it right in the first place
  • Agile security- rapid prototyping, fix failures fast

 

Doesn’t work – Chrysler recalled >1M cars to update software

Does work – Tesla – remotely updated software of all cars

 

Technology and Law must work together or both will fail

Example – Snowden papers showed that technology could circumvent the law, as well as the other way round

Need clear government policies on this

Do we need a new regulator for this stuff?

What regulations do we need?

Does this need to be international, not national?

Governments will get involved, can we lead this to help drive sensible and usable regulations?

 

Main points

  • IoT changes everything – computers impacting the world in a physical manner
    • Less off switches
    • Not designed just growing
  • Threats getting worse in several dimensions
  • This is all coming, fast.  Government involvement is coming
  • We need to get ahead of this – we need to start making serious choices.  We need relevant, workable laws.  We have moral and ethical choices to make.
    • We need to change how we code.
      • When software didn’t matter we let developers code how they wanted and how they saw the world..  Bugs just get fixed later.
      • Now when lives more and more st stake we need society to decide what is OK, and hold developers to account.
  • We need to bring together policy makers and technologists!

 

Government response will be fast and likely unplanned – e.g. ransomware against cars – millions of people cant get into cars.  OR power plant goes offline.

This will lead to very fast and possibly badly thought out action, and regulations

Hence the need for us to get ahead of this!

We wont get to choose – once lives at stake you don’t get to decide if you’re regulated.  Airlines, drug companies etc.  Don’t get to say hay don’t regulate us..  Once internet / IoT etc as important as drug companies it will have now choice but to be regulated.

 

Do we really need to connect everything together?

E.g. could some systems (SCADA for example) connect to a SCADA only network?  Not a new internet, just secure / controlled networks for some systems?

Does believe we will solve this, but it is challenging 🙂  He is actually optimistic about this!

 

I’m sure you will agree, some great thinking points.  We live in very interesting times, IT security is going to become increasingly critical as more and more systems that genuinely and immediately affect life become connected to the same internet as everything else.

What are your thoughts?  Can we safely and securely enable all of these interconnected systems?

K

 

 

ISF congress post 8: Information security – Where next?

Keynote with – Bruce Schneier (BT) and Quentyn Taylor (Canon)

This was a very free flowing discussion, but I have tried to capture the main points that were made;

Thoughts on the state of the security industry today; 

Quentyn – Things never change.  Technologies change, but we still have the same issues as always.  We seem to have a mentality of if I can just get the next best thing installed we’ll be secure.  We are obsessed with the new – the next threat, the next big issue – these meant new technologies and new things to base next years budget on.

  • Focus on the basics.  Verizon threat report – the vast majority of the issues are old and simple – related to patching etc. and not the latest advanced threats.
  • Look out for the new upcoming EU regulations.

 

Bruce – Some way things haven’t changed, some thing have.

  • Security is proving hard to sell.
    • Economic reason – It has got more complicated than the buyer can cope with.  Many specialised, niche products that are hard to understand if you are not an expert in that specific area.
    • Psychological reason – Greed is a much better sell than fear.  Security is fundamentally a fear sell.  Other tricks are magazine awards and reviews.
  • Cloud may not be new, but it is new that everyone is using it.  For cloud services we don’t ‘do’ security – we have to trust the vendors.  What O/S does Facebook use? Do you know? Do you care? – you don’t have to, but you have to trust them.  We have to trust the cloud vendors to be sensible, and this is fundamentally a law and regulatory issue, but there are some technologies coming along to help as well.
  • Without this trust things can go very wrong – since the recent NSA and encryption revelations, here have been many discussions around people doing their own thing for cryptographic solutions.  Doing your own encryption is almost always a disaster, but a lock of trust makes people do silly things.

 

Quentyn – Comment on the fear sell, in the 60s politicians promised to get us to the moon, now politicians promise to avoid disaster.

  • If there is a disaster at your company, do people take it and learn from it, or do people get blamed and fired?

 

Evolution of the CSO role and the complexity of the technology – is the CSO a translator to the board?

Bruce – yes in a way, someone needs to, and the most senior security person is likely best placed.  Communication skills are key.  Risk management is key.  Security is increasingly part of general risk management.

Quentyn – Dislikes the term CSO.  Rarely does the CSO sit properly on the board in the same way as CFO, CEO, CIO etc.  Is the role really C-level?  Both agree it probably isn’t, and the C implies more than CSO / CISO really / usually is.

Securing the supply chain, what are we going to do about it?

Quentyn – A lot of security people don’t read the company reports etc. and don’t really understand in detail the business they work for, so how can they secure the supply chain?

Bruce – This is fundamentally a trust issue – I have to trust the companies that supply me to do their jobs, so the question is how do we get this assurance (audit details, contractual details, external assessments etc?)  Do I need to include my supply chains audit reports in my overall audit report?

Quentyn – Example of Canadian bank discussion – we now have a requirement to audit, not to trust.  Question is how to get this from large vendors.

Bruce – There needs to be enough demand, and legal regulations to enforce this and make large brands such as Microsoft produce public audit and compliance reports for their customers.

Quentyn – Other side of this is what the vendor / service provider has to loose.  If a cloud provider, or mail processor or whoever is caught with someone in their business reading you data or mail, they stand to loose a huge amount of business if the trust in their service is lost.

Bruce – Largely agrees with this.  Trust can be regulated especially with government examples such as a drivers license, a certificate in a Drs office.

 

Some more detail on the EU data protection act;

Quentyn – the fines for this are now capped at either 100Million Euro, or 5% or corporations global revenue – which ever is larger.  This could mean huge fines for some breaches of this legislation.

Bruce – Reputation is a powerful reason for companies to act in a trust worthy manner, as well as fines.

Why is this a future issue, rather than the same as now

Bruce – if things are owned by you and run in house governments get less involved.  When you are using multiple cloud companies and data plus processing is global, government will regulate the providers much more.  This means more reliance on international laws, and getting better at combating international cybercrime.  We do seem to be getting better at this.  Yes there are bad actors and bad things happen, but things are no where near as bad as we (myself included) predicated.  We all bank online, we all bank on our phones, and we all know better!  However we do it because it’s actually relatively safe and we know this too.

Microsoft vs. Apple – we all thought it was better to have freedom to run what we want, yet Apple has less vulnerabilities than Microsoft.  (no mentioned of historical user base etc.).  However the downside of this is when Apple owns the device and manages the device, how do you know what is in memory?  How do you know if files have really been deleted etc?

 

Discussion around mobile devices, use and Data

Bruce – The difference with phones is that while they are just small computers, you carry them all the time so they are more easily lost.  He is more scared crossing boarders with his smartphone than any other device as with Apple, he has no visibility of what is really on the device or in the devices memory.

 

Where are we going with Apple vs. Android – which will win – controlled walled garden (Apple style) vs. openness and freedom.

Bruce – likely more control and less freedom, sadly.  Users want security to be invisible, and don’t really care, us IT security types are not representative of normal users!

Quentyn – Agree’s, saw a headline about iPads not winning because IT managers don’t like them, he thought it was a joke headline..

Should security drive business decisions?

Bruce – No, we should influence them, but not drive them.  And we are annoying.

Quentyn – we’re the no no no department..  But seriously, should influence and be involved, but not drive.

Were are we going, are things getting better?

Bruce – yes we are getting better, and we are improving at teaching security.  However the problem is IT is expanding, so medical IT, cars, smart grid etc. are all learning the same painful issues – of course it’s secure, what do you mean you can hack a car? then they get hacked, then we have to secure them.

Quentyn – Think we need to wait 3-5 years to see if we are really improving.  Dick Cheney has raised a concern that his pacemaker could be hacked as it has bluetooth!

Bruce – Likely if you ask the vendor why the pacemaker has bluetooth, the answer will be ‘because it was on the chip we used’..

Bruce – issues often caused wham computers added to physical world – e.g. we are adding IP stacks to medical devices introducing a host of vulnerabilities and attack vectors that were not there before.  Imagine if your smart ridge got a virus – it wouldn’t be fun!

Five points / key trends to bring the discussion together;

  • Translator role between IT and business (CISO discussion)
  • Reputation and risk
  • Fines might work
  • Driving towards control – people will often give up control for convenience.
  • Building security in, especially as we add IT to more devices and features.

K

Phishing; what is phishing and how to protect against it.

Phishing continues to be one of the key attack vectors against both individuals and corporations.

At a personal level it’s one of the most successful ways malicious individuals and groups have for stealing credit card details and identities.

At a corporate level it is one of the most if not the most common entry points into an organisation.  This is true even for the majority of the Advanced Persistent Threat type attacks that are discovered; while they may use many clever techniques to avoid detection once they are established the usual entry point is via some form of social engineering with Phishing being the most common social engineering attack.

It is due to this that I was recently asked to create a brief overview of Phishing covering what it is, why it is so prevalent, and what can be done to reduce the risk.  I’m sure most of you are aware what Phishing is, but I thought I would share some of the content of my recent presentation.

I started with a brief overview of what Phishing is;

•Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

•Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

•In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

Wikipedia has a longer version providing an overview of Phishing;

http://en.wikipedia.org/wiki/Phishing

This is actually a pretty good article covering a brief history of Phishing, various Phishing techniques, and some prevention / anti-Phishing tools and techniques.

I then went onto cover some further terminology around different types or developments of Phishing that have dramatically improved its effectiveness;

Phishing began as very generic, spam like emails.  These have over time become much more realistic and targeted in order to improve the chances of success for the attacker.  Various terms have been coined to describe these more targeted attacks;

•Spear Phishing refers to attacks targeted at specific individuals or groups of individuals such as employees of a company.  Attackers will gather personal and / or company specific information in order to improve their chances of success.

•Clone Phishing is where a legitimate email that contains attachments or links is cloned / copied, but with malicious attachments or links.  This exploits the trust that may be inferred from the email coming from a seemingly legitimate source.

•Whaling is a term for phishing attacks specifically targeting only very senior company executives.

•A further term recently coined in a blog post by Bruce Schneier was ‘laser guided precision phishing’ when describing some recent advanced phishing attacks.  The clear message is that these are getting better and harder to spot all the time, and these attacks are seldom stopped by technical means;

–“Only amateurs attack machines; professionals target people”

Basically Phishing continues to evolve with attackers spending time to do recognisance on higher value targets to make the attacks look as realistic as possible in order to increase their success rate.

The final part of the presentation covered some of the methods that can be employed to reduce the risk from Phishing attacks;

•Security / Phishing awareness and training.

–Phishme (or similar service) – this has a great success rate with figures such as 60% of users clicking on Phishme email links reducing to <10% after a few cycles.

–Broader training – regular communications from our department around security awareness and things to look out for.

•Make emails from external sources more obvious, such as by changing the display name on internal emails.

–This helps improve vigilance, however so many emails are received from external sources the benefit it likely limited.

•Disable links and attachments in emails from external sources

–Likely impacts many business processes, is a white list of all ‘trusted’ email sources feasible or maintainable?

•Ensure any heuristic and zero day type protections are functioning as designed to provide maximum protection from bespoke and new attacks.

•Enforce ‘least privilege’ – no users log onto any machine with administrative or root privileges, always use ‘Run As’ or Sudo for any actions requiring elevated privileges

•Ensure any browsers in use are kept up to date with any anti-phishing add ins / tool bars installed and functioning

•Black / White listing of acceptable sending domains.  White listing is more cumbersome, but more effective, black listing is easier (as with most security technologies) but less effective as it can only block known bad sites / domains.  Neither of these techniques will stop spoofed emails or emails from compromised ‘good’ sites / domains.

•Become involved with organisations / forums such as the Anti Phishing Working Group; http://www.antiphishing.org/

In conclusion I would wholly recommend a solid defence in depth strategy for your organisation when it comes to security tools and strategy, but I would also say that user training is a key component of reducing the risk from Phishing; if not the most critical component.

A great way to learn more, and help improve anti-phishing techniques is to get involved with organisations such as the Anti Phishing Working Group (link above).  They also offer some useful anti-phishing training.

It would be great to hear your thoughts on Phishing, and the user training vs. technical controls debate.

K

RSA Conference Europe 2012 Keynotes; day two part two

Keynote 3 – ‘Are we getting better?’ Why we don’t know.  What can we do about it?

Joshua Corman, Director Akamai Technologies

Change is constant;

–          Evolving compliance

–          Evolving Threats

–          Evolving Technology

–          Evolving Business

–          Evolving Economics

Historically most of our security time and budget went on understanding who is attacking us and how, and understanding our IT landscape.  Now since the onset of so much legislation 50% of security time and budget is spent meeting regulations.  In some companies this is closer to 100%.  Why?  Because the organisation might get hacked, but it will be fined if it fails an audit.

So in a world of ever increasing and evolving threats and increasingly complex systems our focus is diverted from true risk management and security.

Another reason to believe we are not getting better is that we are rapidly increasing our dependence on technology and software systems much more quickly than our ability to secure them e.g  Insulin pumps have been hacked to deliver lethal doses, Microsoft Windows is now in some cars, we rely on web sites that are still regularly hacked, etc.

Are our challenges are not technical but cultural?  For example the OWASP top 10 issues has basically never changed!  Why have we not yet solved any of these issues?

Why is this?

–          We have faith based security

–          We need evidence based security

–          However we have very little data and that we do have may not be for the genuinely most serious issues – we focus on what is visible, not importance.

–          Drunks and Lampposts! – we (and vendors) use data to prop up their views and desired message, not to show the true picture in the same way a drunk uses a lamppost for cupport, not illumination.

 

Collection of thoughts presented;

 

–          Vendors don’t need to be ahead of the bad guys, they just need to be ahead of the customer!

–          We have and accept buggy software

–          There is a lot of FUD (Fear Uncertainty and Doubt) and conversely Blind faith

–          We had the chance to do cloud computing better, but are already having the same types of conversation as before..

–          The security industry scores very high on the Maslow stress index..

–          Most companies and CISOs cannot stop standard Metasploit attacks, if we cant stop ‘script kiddies’ how can we expect to stop ‘grown up’ attackers? – HD Moore’s law..

What can we do about it? (in order of importance);

–          Pick one;

  • Make excuses
  • Make progress

–          Build defensible infrastructures including rugged software

–          Operational excellence – run IT well, understand what you have

–          Situational awareness

–          Countermeasures

Joshua has a very interesting blog covering these points and many others.  This can be found here;

http://blog.cognitivedissidents.com/

To summarise, Seek Knowledge, Make Progress, Collaborate with people, be unreasonable! J

Overall a great although sprawling and fast paced talk.

——–

Keynote 4 – Trust, Security and Society

Bruce Schneier

We as a species are very trusting, just having breakfast you effectively trust 1000s of people to have safely grown, prepared and server your food.  Society wouldn’t function without trust.  This is why we do security, security enables trust, and trust enables society.

There are two forms of trust –

–          Personal when you know someone, and understand some of their likely motivations and expected actions.

–          Impersonal, you trust / assume someone will perform tasks as expected – e.g. you trust a taxi driver to take you to the right place and not overcharge you (too much!)

In society we trust a lot of people and entities all the time to perform as expected and fulfil agreed actions.  This trust is for individuals, things / organisations that are physically there, and much more abstract organisations / functions.

Conversely in any system like this people can ‘game’ the system and act in untrustworthy ways.  Consider game theory and the prisoners dilemma.  People can be ‘defectors’.  However defecting only works if the defectors are not too successful, if defecting becomes too successful things, in this case society can collapse.

Security is how we keep the number of defectors to an acceptable level.  This does not mean zero, as getting towards zero becomes prohibitively expensive.

So how do we do this?  Societal pressures;

–          Morals – mostly comes from within our own head

–          Reputation – mostly comes from other people’s opinions of us

–          Laws – ‘formalised reputation’ where laws are not just government type laws, this also includes expected behaviour within your company, expected behaviours within a group or team etc.

–          Security systems

These pressures allow society to scale.

Society will use these pressures to find a balance / equilibrium between these pressures and defectors.  Usually not explicitly, but as an example if there is a lot of crime people will expect more time and effort to go into policing, when crime is very low they will ask why spend so much on policing when we have all these other issues..

Technology makes society more complex and is leading us through a tie of great societal change.

To summarise;

–          No matter how much societal pressure there is there will always be some defectors

–          Increasing societal pressure is not always worth it

–          We all defect at some times. No one is perfect.

–          There are good and bad defectors and it can be hard to differentiate.

–          Society needs defectors – we all benefit because some people don’t follow the norms..

K

Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K

Hackers outwit on-line banking security

If you ever doubted either the inventiveness of criminals, or the need for taking sensible security precautions this story should be a wake up call;

http://www.bbc.co.uk/news/technology-16812064

Hackers have developed ‘Man in the Browser’ attacks that potentially allow them to circumvent even the relatively new 2-factor chip and pin security many banks now implement.  These attacks also have the potential to at least temporarily evade protection such as AV software and any blacklists as they will redirect to new sites that are not yet known by security firms.

In short stay vigilant, keep your computer(s) protected and up to date, and always use security software such as anti virus etc.  And as documented by Bruce Schneier several years ago we need to look at authenticating each transaction.

K

Trust requires transparency

I came across this excellent post via Bruce Schneier’s blog;

http://newschoolsecurity.com/2012/02/dear-verisign-trust-requires-transparency/

The post highlights that while Verisign has publicly claimed that they have dealt with the recent breach of their systems and that the Domain Name System (DNS) has not been compromised, they are still very light on details of what actually happened and how the DNS system was protected and has in fact not been compromised.

The point of the post is that for us to truly trust them and the systems the own and run again they must be open and transparent.

This is an excellent point and one well worth remembering.  While it may appear that the most secretive systems or organisations may be the most secure, actually it is likely we can place the most trust in those that are most open where we can clearly see and verify the security of their systems and processes.

Read the post and Verisign’s statement and make up your mind on whether you think you would be more ready to trust them if they were more open and transparent.

Be secure, open and trustworthy..

K