Poor Password Hygiene is a Major Security Threat
Cyber Security Teams Stressed to the Hilt
I read a Linkedin post yesterday from Mike Ebbers ( post ) postulating how we might make a comparison between law enforcement and information security personnel. His basic premise is law enforcement does not prevent 100% of crime, but they are not "fired" for not meeting this unattainable goal. So, why are company IT security personnel not held to the same standard?
After all is it realistic to expect our security teams to have a 100% prevent defense? Since, I served time in the law enforcement/intelligence field ( read my story on Linkedin ) this post resonated with me.
Our firm works with security teams in enterprises every day and I can tell you they are dedicated, trained, passionate and STRESSED to the hilt on getting things right. From having the right "tools", meeting business driven metrics, adhering to overwhelming compliance and regulations to keeping up with all the "new shiny security objects" and the associated noise in the market. Plus, add in the continued bad habits of employees that lead to security risks. It's no wonder the average life span of a CISO is 2-3 years.
So, what do businesses do to support their security teams and provide realistic and acceptable metrics that have some relevant measurements? Mike's proposal to define acceptable metrics is a start. How about developing a "risk register" at the business level that drives those metrics and identifies severity of risk and possible solutions that can be applied. We usually ask clients if they have a risk register and often it is "NO".
Maybe do what Steve Cohen wanted to do when he started up his new investment firm (after being the subject of a SEC probe of criminal behavior) look to hire former law enforcement article
What do you think?
Are Cybersecurity Personnel Batman?
Last week I listened to a pod cast by CyberCrime Magazine with Robert Herjavec. ( link to podcast )
I have tremendous respect for Robert and what he has accomplished with his company and the services they provide to keep us safe. So, of course I would listen.
The main topic was about the lack of skilled cybersecurity personnel in the market. Several points were mentioned such as the need for training, the shortage of women in the security sector and the lack of PR for evangelizing the “coolness” of being a cybersecurity person.
Robert does have a point on the “coolness” factor for the younger generation. My personal thought on how to deliver this message in additional to PR channels is through mentoring. Just recently I had the opportunity to mentor a recent high school graduate on changing his college major from business to cybersecurity, specifically the field of digital forensics. He was confused as to how he could succeed because he was told by others that unless he had a background or experience in digital forensics in the law enforcement field he would have a difficult time. BS…I explained to him the need for forensics and how the market is embracing this discipline as it relates to cybersecurity and offered some guidance on how to start. Also, provided him a chance to attend a totally free 7-week course on security to give him a good foundation to start his training. So, perhaps the “coolness” message is getting out. But, if you have a chance to influence or a have a conversation with someone on their career direction DON’T hesitate to jump in and help.
One last point on the podcast. When Robert was asked what he thought made cybersecurity professionals “happy” in their job his answer was “BATMAN”. Being able to help others and catch bad guys. He even thought he was “BATMAN”. A pretty cool analogy.
I thought about Robert’s response and reflected on my career in the intelligence/law enforcement field ( read my story on Linkedin: My Story: From COP to IT Executive. The Best Business Training ). So, who is the real BATMAN? I’ll let the readers decide!
Core beliefs and a purpose driven profit model
It's been 3 years since we launched Intelligence Services Group and wow what a journey it has been. Over these years we are consistently asked WHY did you start this business when there are so many vendors/competitors. At the time I never considered competition, nor did I care. I had a belief there was a coming tidal wave shift in the market for companies not just needing IT solutions, but how will they battle criminals attacking them everyday inside and out.
So, when starting iSG I had to ask myself a fundamental question: Why do I want to do this? After all, the market is saturated with vendors who propose to provide security services and products. Why would anyone listen to us, why would they care to do business with us?
Over the years I have been on both sides of the IT equation. I employed consultants and purchased IT products while building out data centers/enterprise networks/systems. I was also on the vendor side delivering IT solutions. So, I had a good grasp of the "supply chain" of technology and understanding of seeing through the FUD that permeates the tech market. But, that was just one side. My other side was from the intelligence/law enforcement community. Chasing bad guys, gathering intelligence to battle threats and experiencing the worst humanity had to offer left some lasting impressions. One of those impressions was the need to be a contributor to community and not just a taker for self.
So, when the business concept was developed of fusing our intelligence DNA with specific technology solutions to help companies manage risk I was insistent we had as our core beliefs:
- A laser focus on customer success without the FUD most vendors provide;
- A "profit with purpose" business model that is a contributor to community and not just a taker
Every day we focus on how to help people/companies be successful. We are driven by being part of how they attack their problems. Giving them alternatives and fusing those alternatives to their business model is what inspires us. We love sharing our DNA, how we take ownership of the client’s needs and that we have NO sales team focused on delivering FUD.
As we become successful we must share that success with the communities where we operate. Whether it's participating in supporting non-profit causes, like the NASCAR Foundation, the National Police Defense Foundation or being a business mentor at UCF ( by the way the real college national football champions this past year ) our purpose will always be dominate in our thinking. That will never change!!
Two months ago, our firm announced a partnership with HyperSpace Security to bring their encryption technology, Key Shadowing, to market. You can read the press release here, press release.
The headline claims Key Shadowing to be a “disruptive’ technology to the cryptographic key market. A rather bold statement. A statement we have been sharing every day for the past number of weeks with our clients and prospects. Every call, every demo and every conversation we’ve had with our eco-system and the media has focused on the Key Shadowing “disruptive” factor.
When we did our due diligence on Key Shadowing and decided to take on the partnership the term “disruptive” stuck with us. Were we skeptical? Maybe a little. Consider the business definition of disruptive: relating to or noting a new product, service, or idea that radically changes an industry or business strategy, especially by creating a new market and disrupting an existing one.
We have all heard this before, especially in the IT security space. However, after speaking to Dane Butzer the inventor of Key Shadowing, and grasping the hyper math behind the patent, it’s ability to “eliminate” master keys and the immunity property to quantum computing we came to understand the “disruptive” moniker. You can read the white paper for yourself: white paper
The ELIMINATION OF THE MASTER KEY. No more lost or stolen keys. No need for a Key Management System. Now, consider the impact to the deployment of asymmetric keys, symmetric keys, message authentic codes (MACS), key encryption keys and distributed ledger technology (DLT)…. can you say blockchain?
Does this qualify as “disruptive”? What do you think?
I was fortunate last evening to attend my first mentoring event at the University of Central Florida, College of Business in Orlando.
Not sure what to expect as I went in excited and anxious to learn about the program and have a chance to meet a few students.
Wow, was this a great event! It started with the mentor reception prior to actually meeting students in a "speed dating" type atmosphere. ( Wish I had more time with each student ). The room was packed with enthusiastic people wanting to offer their guidance and experience. I met individuals from all facets of business. From HR to a retired engineer for power generation plants. What a diverse group of experiences and leadership that came together to offer their input.
The highlight for me was meeting the students and hearing what they hoped to obtain from a mentoring opportunity. Each one had their own reasons and they varied from looking for an internship to getting advice on what they should do to succeed in their field. ( Not sure what I could offer to the accounting majors for guidance in their field ).
At the end of the "interview" I asked each student what they felt was the one trait that is ( in my view ) the most important to have to be successful. The answers varied as you could imagine. But, one student hit it correctly COMMUNICATION. I explained that no matter what field or business you go into if you can communicate and articulate your thoughts, ideas, passions and insights to get people to listen you will be successful! Hopefully, that resonated.
I encourage everyone to take the time to get involved. It doesn't have to be a formal program at a college, it could be in your company or in your community. Each of us have something to offer. Share it..
At the end I wonder who is the real mentor me or the students I had the honor of meeting.
What a great learning experience!
I read with interest last week a blog by Robert Herjavec titled: Blockchain Technology Is Here to Stay. There are some predictions about blockchain being a fundamental business enabler and how it will disrupt a number of sectors from finance to real estate and transportation. That I agree. We're already seeing the financial sector pursuing an aggressive strategy for adoption. Just look at the announcement by SWIFT last October on their successful trial of blockchain. Swift Blockchain Success Sets Stage for Sibos
What stood out for me in Robert's blog is the comment: "The best part of this technology is that transactions cannot be altered!"
One only has to do a google search to find several hacks on blockchain and crypto currency to see the financial impact. Want more proof on the risk of blockchain and how it can be hacked? Here is a good article titled: Can The Blockchain Be Hacked? published in Sept. 2017.
Blockchain is an open and cryptographically signed ledger based on hashing and cryptographic private/public key technology. With the evolution of quantum computing comes the possibility of quantum attacks on blockchain and its inherent reliance on cryptographic keys. There is plenty of research and publication on how blockchain, thru quantum computing, is vulnerable. (Do some research on the Grover and Shor algorithms)
The risk of blockchain deployment and lack of standards have not gone unnoticed and has led the US Congress in 2017 to enact "The American Innovation and Competitiveness Act,”. Included in this act is a directive to the National Institute of Standards and Technology (NIST) to develop a post quantum cryptography standard. This is where “Key Shadowing” will have to be considered.
While the market races to adopt blockchain the risks are many. Finding qualified blockchain expertise, addressing the “single point of failure” of key management systems to overcoming the threat of quantum computing on cryptographic keys it will be a bumpy ride for adoption fraught with risks.
I was reading an interesting article titled: Is 2018 the year cybercrime becomes mainstream and was wondering how prepared are IT/Security staffs to handle and investigate a cypercrime against their company. What expertise and training do they have to conduct investigations, comply with chain of evidence, adhere to an forensically sound processes/methodology, what forensics technology have they deployed? Are their IT vendors/partners just that, IT. Where do they go to help them conduct investigations?
Certainly, law enforcement plays a role. But, how prepared are companies to compile the facts to even determine if there was a crime before they call law enforcement? Is the threat internal or external. If internal, what risk reduction efforts did the company deploy to prevent an internal crime from being committed?
AI and machine learning will become more prevalent to mitigate this risk. A constant cyper awareness training framework is necessary and will certainly help. But, when there is a hack/breach (and there will be ) how prepared are you to combat this criminal act?
Enterprise Mobile Encryption is Required, But Few Companies Have It
The mobile wave is here. You can not avoid it. Everywhere I go business is being conducted on mobile devices. Last year at LegalTech in NYC everywhere you looked people were texting, talking, emailing, sharing documents and conducting business on their cell phones. What a hacker's paradise!! I stopped a few people (happened to be attorneys) if they were concerned about their communications being secure. They didn't think anyone would care. Really? Were they talking to a client discussing their defense, perhaps reviewing strategy for a company merger, how about proprietary information on market release of a new product, or a privileged communication. Not to mention the document sharing and emails containing IP, etc.
In the past few weeks we have been engaged by our clients ranging from global law firms to global manufacturers wanting to implement an enterprise strength mobile encryption platform. They are ahead of the curve for companies and understand their business is rapidly being done on a mobile platform.
Their use cases vary and range from "out of band" communications for Incident Response to protecting privileged communications to ensuring the executives' conversations and communications are secure as they discuss mergers/acquisitions and company strategy.
What are your thoughts? Are you prepared, do you have a defense in place, do you care?
Would like to hear what you think.
Complacency - Biggest Weakness
Read a article this week by Robert Herjavec on Linkedin ( article ) asking about being prepared and the role complacency plays in the preparation. Good article.
Two conversations (out of the list of 5 ) Robert mentioned that CEOs should be having were: establishing a strong cyber hygiene program and the strengthening of your mobile and IOT security postures.
Those especially resonated with our team as we just completed an engagement where cyber hygiene could have helped avoid DDos attacks. Additionally, we're in the midst of securing several clients mobile communications infrastructure through enterprise encryption. The primary use cases centered on protecting privileged communications and enabling an " out of band" communications platform to support IR efforts.
I couldn't agree more with Robert's article.
In a recent article at CSO titled: What's the value in attack attribution? Guidance Software CEO Patrick Dennis argues for the value of attribution.
As past intelligence operatives our initial response is of course you need to find out out who is responsible for the attack. Not only does it provide useful information on unknown vulnerabilities, but if the attack results in litigation having the ability to identify a bad actor might support your defense.
What do you think? Is attribution valuable?
Wanted to share this post from our friends at SaltDNA.
In the wake of a yet another cyber attack on a number of US law firms, the legal industry must
respond to protect their practices & their clients confidential information. In 2016, there were a number of major law firm hacks - including the leak of top-secret documents from Panamanian law firm Mossack Fonseca and the M&A hack attack by a Russian cyber criminal who targeted 48 elite law firms including Hogan Lovells, Allen & Overy, Cravath Swaine & Moore and Freshfields.
December 2016 saw Chinese Hackers target New York law firms in an attempt to gather
confidential information on recent mergers and acquisitions in order to penetrate the stock
market. Targeting the confidential communications of the law firms, the hackers netted around
$4 million in profit from the information they were able to gather. The ease with which this
appeared to have been carried out will only encourage more of the same attacks. Preet
Bharara , US attorney for the southern district of New York, said that the Chinese hackers
successfully breached “at least” two law firms, which he did not name, and targeted at least
"This case of cyber-meets-securities fraud should serve as a wake-up call for law firms around
the world,” he said. “You (law firms) are, and will be, targets of cyber hacking, because you
have information valuable to would-be criminals.”
These cyber attacks have highlighted how the interception of client-confidential information canhave meaningful consequences, and this applies to virtually every area of law. Traditional
methods of communications in law firms are no longer sufficient due to the higher levels of
sophistication in hacking, and the increasing availability of equipment and software which
facilitates interception and eavesdropping on communications. The need for a CyberSecurity
focussed solution is now a necessity within firms, and will affect individuals/enterprises decision on what law firm they wish to work with in the future.
With client information the target of recent cyber attack, legal firms must adopt new, robust
methods of communications to protect their clients, as well as their own reputation. In order to
do this, the ability to control who speaks to whom within their firm is essential, alongside the
mandate that all conversations are encrypted and private.
SaltDNA was created to specifically solve this problem for enterprises and works with all sizes of law firms to protect their practices and their clients. In the words of one of our customers, a large International law firm based in London:
"SaltDNA is part of every new case set up. We explain the reasons for using SaltDNA to our clients and they're thankful that we have this in place. It removes the need for cryptic phone conversations and is driving better communication with our clients."
SaltDNA provides a full managed software solution, on an enterprise scale, that enables
absolute privacy in mobile communications. Secure one-to-one messaging and calls,
conference calling and group chat, secure transfer and storage of files/images, better call quality and LDAP integration enable secure communication and collaboration across the enterprise. The SaltDNA solution is easy to deploy (SaaS & On-Premise) and uses multi-layered encryption techniques to meet the highest security standards. The SaltDNA Desktop and Mobile apps are intuitive and easy to install and use. The SaltDNA Communication Manager provides a console for tight management of users and can be configured for the management of regulatory compliance.
SaltDNA is headquartered in Cambridge, Massachusetts and Belfast, UK, and is funded by
Accomplice (formerly Atlas Venture) and Stonehammer Capital. www.saltdna.com .
Read this recent article titled: Law firms’ inability to protect client data is a national security concern.
One item that stood out for me in this article was that by and large firms DO NOT encrypt data that is stored at rest. If that is the case I wonder if they encrypt the data in transit, especially when they utilize their mobile communications. I suspect not.
In the Sullivan & Cromwell risk management event on Dec 1 in NYC this issue arose during a panel discussion on ransomware. If the firms' (or anyone for that matter) systems are compromised how do they communicate electronically during the crisis and avoid revealing their triage activities? Typically, they turn to mobile. But, if that channel of communications is not secure and encrypted then what?
Something to consider. Be interesting to hear what law firms are doing for securing their mobile privileged communications. What do you think?
We honor our veterans today for whom we owe so much. For me it has a personal meaning as my dad fought in WW11. An ordinary man who went off to fight for his country and did the extraordinary. Please, take the time to remember your loved ones and friends and say thank you to a vet!