Fiber Cut? No Internet, Mobile or SMS? Are You SOL?

I woke up this morning thinking about the increasing impact that any disruption between us and the Internet has in our daily personal and professional lives. I love the security profession but sometimes it drives your brain to an offroad or two (or more) that many people do not oft travel.

Think. What use is your smartphone, computer or tablet if it loses all ability to communicate with anyone or anything else?

When fiber is cut and Internet and phone service are down it often affects an entire community or region. If this disruption occurs inline with a disaster, either natural or terror, lives can be at risk.

Fortunately most fiber cuts to date are accidental the result of an errant backhoe or other less than nefarious cause.

This is changing. Intentional cuts in the Bay Area in 2015 and allegations from Verizon that striking workers intentionally cut fiber are troublesome indicators that our fiber optic networks will increasingly be a target for those with a desire to disrupt.

But what is old is new again. The first recorded telecommunication sabotage took place during the second battle of Bull Run in 1862.  I would argue the stakes are no higher today just different.

Impact

The business impact of a fiber cut can be measured quantitatively and qualitatively. I dare you to go brick and mortar shopping in a region experiencing a fiber cut. You will quickly learn which retailers have the most resilient and effective disaster recovery and business continuity efforts.

Most retailers rely on fiber for every connection they make at the point of sale or otherwise. The fallback is normally satellite and works much more slowly, if it works at all. And you thought the lady ahead of you in line at Wal-Mart buying 500 cat key chains insisting on 50 separate receipts was slow.

The inability for teenagers to reach their friends via Facebook, Snapchat, SMS, phone or any other means other than face to face may seem in the moment catastrophic but is in reality only a symptom pointing to a future where the stakes are much higher.

Today Alexa’s inability to respond from the mothership to turn off lights and tell dad jokes arguably worse than my own is but a minor annoyance.

Future Alexa controlling my in home medical devices, fire suppression systems, and life safety equipment sets the stage for a future where being always connected is as critical as having water, power and oxygen to breathe.

Solutions

Ensure you have multiple Internet connections over disparate paths. Businesses in mission critical industries do this as a normal course of business. I recommend small businesses and families do as well.

My small business maintains two Internet connections and a satellite backup. Keep in mind fiber cuts often render all land based communication useless. Maintaining satellite Internet as a backup is a relatively cheap insurance policy. We use Exede.

Invest in a SOHO router that manages multiple Internet connections and provides for automatic failover/failback. My preference is CradlePoint.

Invest in an out-of-band communication technology to ensure that fiber cuts or other outages do not prevent you from reaching your family or business associates.

Not fully baked but amongst the most promising and exciting innovation for communications not reliant on Internet or even mobile coverage are these two companies. Beartooth  and GoTenna.

Both systems utilize a combination of your smartphone and a built in 900 mhz unlicensed radio frequencies to allow communication over several miles with no dependency other than a similar device on the other end.

Although GoTenna appears more consumer friendly and geared towards the social, crowdsourced model they do purport to have a mission critical “professional” line in the works. I’ve ordered a pair of GoTenna devices and will be posting a review after some time assessing their merits and limitations.

Technology solutions aside the most important action you can take as a business, family or individual is to have a plan and TEST the plan regularly.  Many great resources to assist with this over at ready.gov

As always feel free to reach out to me directly via LinkedIn if you would like more information about this topic or any other.

Stuart Clark

AWS Security Is Better Than Yours

Amazon will not tell you this but they think AWS security and compliance practices are way better than yours. And they would be spot on.

AWS re:Invent 2012 Leading with Security

How would I know? I’ve been working with service providers running on AWS since 2010. I helped a fintech startup born on AWS infrastructure win deals with mammoth financial services firms to proxy traffic between AWS and their internal networks back in the stone ages of the cloud, 2012. In that same year we completed a SOC 2 Type 2 Audit, one of the first cloud service providers running on AWS to do so.

Alas this is not a story about me. This is a story about continuous improvement about what can be accomplished over time and at scale. This is a story about a company that understood very early the importance of security, invested appropriately and now stands to reap the rewards of a tipping point tipped as a deluge of cloud migrations and associated revenue fills their coffers.

My perspective is simply as an AWS customer and partner that cares about security and has chosen to go deep to better understand what it takes to create a company that used infrastructure to change the world. I have no magic beans only my compounded experience of many years in the cloud to guide me.

But we warned. If you drink the Kool-Aid and decide to host infrastructure on AWS do NOT think you are off the hook for your own security and compliance efforts. I have a special dark place in my heart for organizations that HIDE behind the security and compliance of their cloud provider.

Security logos copied and pasted from a cloud provider to a marketing website are a poor defense against poorly secured applications and data.

What evidence do I have to make my claim that AWS security is better than yours?

Attestations, Standards and Frameworks Galore

AWS does not have the luxury of serving one particular industry or vertical. They provide infrastructure services to everyone from startups working on the latest useless social media app to three-letter government agencies which may or may not be spying on us. This is an incredibly high bar and requires a massive investment in security and compliance.

Yes compliance is not equal to security… blah blah blah… If you actually do your diligence and READ these reports you get a sense as to the true investment in security that goes way beyond check boxes.

Availability

You can gain insight as much by what does not happen as what does. Anyone that tells me their availability is as good as AWS (or Azure) for that matter gets my respect. And my skepticism. I immediately wonder if they are trying to fool me, themselves or both.

In late 2016 do we not have better things to do with our time than hug iron and troubleshoot blinky lights? Do you really think you can build resiliency to remotely equal the capabilities of multiple geographically disparate AWS Regions available at the push of a button?

DDoS mitigation anyone? Short of being an infrastructure provider why would you want to hassle with having to manage fighting this beast?  Amazon has your back.  Relax. Sort of. Obviously any applications or infrastructure you manage must be architected in such a way as to be resilient against DDoS attacks.  DDoS Best Practices Guide here.

Tools and Extensive Partner Network

It just makes sense that the longest tenured cloud company would have the most robust partner solutions and tools. AWS CloudTrail, Trusted Advisor, IAM, Inspector, WAF, HSM, KMS, Directory Service, etc.  More here.

Layer on partners that have offered cloud security solutions for many years. Companies like; Alertlogic, Sumologic, OneLogin, Ping, CloudPassage, Cavirin, Evident.io and more.

The End

A key takeaway is that it took AWS years to get to this position. In 2011 AWS compliance efforts were nascent in comparison. Most of the tools and partners mentioned above either did not exist or if they did functionality was “limited”. (read sucked)

The significance of AWS’ strong leadership position in security cannot be understated. A public cloud provider is now the security reference from which all others can aspire. We have come a long way baby.

Beginning of the EndPoint – Challengers

hand-pointing-out-1465802608efl

I’ve been a Cloud CISO for a little more than 5 years now. One consequence is that enterprise endpoint security products and I have rarely passed paths. Agile orgs running Linux / OSX with users perpetually outside the perimeter is not easily solved for with legacy endpoint products.

But I was curious what has changed…

This afternoon I read with interest the “Forrester Wave Endpoint Security Suites Q4, 2016” report.

The report could have been written ten years ago, with the notable exceptions:

  1. Companies like Carbon Black, Cylance, CrowdStrike and Bromium have emerged to challenge perennial industry giants. Any innovation in endpoint security is noteworthy. No longer is it acceptable for the incumbents to ride the cash cow of enterprise renewals without significant development efforts to keep pace.
  2. Quarantine = Remediation

You can find the Forrester report over on the Carbon Black website.  (Gated, Sigh…)

END

ISC West 2016 Conference Wrap – Connected Death

Last week I had the opportunity to attend ISC West billed at the “largest security industry trade show in the U.S.” Held annually at the Sands Expo in Las Vegas the show features over 1000 exhibitors and is attended by over 28000 security professionals.

IoT Vendors at Connected Security 2016

IoT Vendors at Connected Security 2016

Make no mistake ISC West is largely a physical security conference.  The sheer number of cameras, access control solutions, retractable electronic bollards, electrified fencing and oddly skin care vendors was staggering.

For the first time the show included the Connected Security Expo a cybersecurity conference within the larger conference.  A recognition that many of the aforementioned vendors now manufacture internet connected devices that need to be secured (with the probable exception of the skin care vendors).

I was pleasantly surprised at both the execution and content of the expo.  A successful conference for me is largely defined by what I learned.  My thoughts about the conference based on my multiple personalities, err personas…

As a Technologist – Very Cool. As a corporation you can actually buy a drone fleet and patrol your perimeter, then deploy a robot to investigate and intercept violators.  All remotely controlled and monitored.

As a CISO – Abject Fear.  Very few of these IoT device manufacturers appear to have any expertise in cybersecurity.  I’ve probably spent more time thinking about their supply chain and secure software practices than they have.

As a Security Entrepreneur  – Unlimited business opportunities abound.  See CISO thoughts above.

We can expect 200 billion new devices to come online by 2020 according to Matthew Rosenquist of Intel.  Many of these devices will impact life and safety.  Vehicle control systems and medical devices are examples.  The bad news is that a significant amount of blood will be spilled in the next few years.  Innovation has always outpaced cybersecurity but now the consequences of failure include the likelihood that people will die.

Are we ready for this connected future?  We had better be.  There is no other choice.

Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 2)

Part 1 introduced the concept of transforming a paper “security contact” into a security liaison for your organization.  

My experience working with organizations is that while most have a security contact attached to an asset or functional area many of the designated contacts when asked are surprised to learn of their role.  This is a sure indication of checkbox compliance and missed opportunity.

Creating a security liaison program is an exercise in taking a latent asset tied to a compliance objective and activating them to become an active participate in the overall security of the organization.

How can this be accomplished?

  • Policy – Authorize the security liaison program by writing it into your overall security policy.  Define the role and overall responsibilities of the liaison.  I’ve found that the liaison program tends to map closely to the security steering committee so placing this section immediately following the steering committee makes sense.
  • Process  –  Make it real.  Make it auditable.  Meet regularly with your security liaisons and document much as you would for the security committee.  A functioning security liaison program can be used as a control at audit time to show the maturity of security within your organization.  
  • Empower/Enable – Assign real responsibilities.  Enable your security liaisons to participate in your risk management program and other key areas.  Empower them to drive improvements to the security of the organization by encouraging them to ask hard questions that may not have easy answers.  Empower your liaisons by allowing them to communicate/report issues and progress to the security committee/leadership.

Final Comments

The overall goals of any security program are to reduce risk and increase security.  Adding security liaisons can be a key component of your overall security strategy.  A group created with zero additional headcount, authorized by policy and doing your security bidding?  It is only a dream if you don’t act.

 

A CISO’s Minefield – Dysfunction on the Board

I tweeted the other day in response to a blog post I read which seems to be an upward trend of information intended to help CISO’s disseminate information to their board of directors.
Good actionable information for sure but I feel the need to push the envelope a little and provide some unvarnished and unsolicited observations about boards.

Board members are silos to themselves – My experience has been that board members are generally smart, successful independent types.  They are often wonderful resources for asking entrepreneurial questions and generally getting to know better, even if only to further your agenda.  Rule of thumb: They generally like to talk about themselves, so let’em…

In many cases these individuals are highly competitive and often do not like other board members.  Rule of thumb: Boards are at often AT LEAST as dysfunctional as the organizations they govern.

Some board members do not understand the business – Many times especially within smaller companies board members will be family members that have no clue what the business actually produces let alone how it operates.  If they do talk to the CISO they may ask what kind of gun they carry.  “You are security, right”..?

Don’t spend much time on these folks. Rule of thumb: Focus efforts on board members that can actually spell vulnerability.

Understand the CISO’s place –  There might as well be a sucking sound that accompanies any CISO’s entrance to the boardroom.  That sucking sound is the board’s top line revenue being sucked dry.  Let’s be real. The board only cares about security insofar as it relates to the income statement, balance sheet or cash flow. Speaking to them on any other terms is wasting oxygen.  Rule of thumb: To be a successful CISO you must relish being a cost center. Success is defined by sucking less…

The bottom line is that success in the boardroom is the same as success in life.  Observation, seeking to understand, developing relationships, being strategically humble for tactical gain are all key.

Stuart Clark

 

 

 

 

Hacking Cars and Human Drivers Sucking

I spent most of the last week at Black Hat/Defcon/BSides Las Vegas contemplating a future filled with Internet enabled vehicles, infrastructure and hackers with ill intent.  The lead up to Black Hat 2015 again provided fodder for the mass media as researchers on their path to fame rolled out more than a couple of high-profile hacks against different automakers:
Jeep : https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/
Tesla: http://www.itproportal.com/2015/08/06/tesla-model-s-hacked/
Ford/Toyota: http://www.cnet.com/news/car-hacking-code-released-at-defcon/

While it is concerning that these types of vulnerabilities exist I would argue that a world of vulnerable smart vehicles is far safer than continuing to allow humans to drive unassisted.

Over 30,000 Americans die annually on our roads, the vast majority of these attributable to human error.  Face it, we suck at driving.

Obviously my “bury the head in the sand” approach to making vehicles less vulnerable is not a strategy that even I would endorse over the long-term.

Good thing there are folks like “I am the Calvalry“.  This org with probably the best name ever has produced the Five Star Automotive Cyber Safety Framework (PDF) and are spearheading a grass-roots campaign to encourage automakers to engage in a collaborative approach to finding solutions to their security problems.

While I remain optimistic that this effort has at least a snowball’s chance in hell of gaining traction I am concerned that the silos that exist across manufactures will not allow for a collaborative approach to solving this particular security challenge.

I hope to be proven wrong.

What can I do to help after a disaster? CERT may be for you.

The recent floods that devastated the Central Texas community of Wimberley in May left many asking themselves this question.  Becoming a CERT (Community Emergency Response Team) member will help prepare you and your family for a disaster and provide basic disaster training to assist others in the community.
CERT is coordinated by FEMA but led locally.  As of this writing there are over 2200 CERT teams nationwide.  You must be at least 18 years of age however local coordinators have the discretion to allow under 18 to participate.

I joined Austin CERT in 2011 by attending evening courses over a period of several weeks.  The training was held in the Austin/Travis County EOC which for a technology geek like me was worth the time investment alone.  The training class itself was about 35 strong and a diverse mix of young and old alike.  The training was interesting and engaging even for a seasoned first responder like myself.  For reference the current Austin CERT course description is here.

Working in law enforcement as both police officer and dispacher offered me ample opportunities to help people utterly unprepared, oblivious or even obstinate and hostile.  An informed and educated public is the greatest asset to both the first responder and themselves in time of disasters. Preparation prevents panic.

A photo taken during a 2011 Austin CERT Disaster Training Exercise

Culture Clash – Digital Forensics and Infosec

This week I will be traveling out to Las Vegas to attend the Computer and Enterprise Investigations Conference (CEIC) the largest digital investigations and forensics conference in the world.  A few short years ago this may have seemed an odd destination for a CISO of a cloud service provider but this is precisely why I am excited to attend.  

There is a very interesting convergence taking place that I will be exploring.  This convergence is the integration of digital forensics tools into the mainstream enterprise, but more interestingly the network/cloud.  Forensic tools, techniques and tactics show great promise when used in conjunction with existing security tools to reduce the time from breach to discovery, assist in remediation and ultimately reduce the entire incident response life-cycle.  At least this is the kool-aid that companies like Guidance Software (owns CEIC) and AccessData would have us drink.  This is a developing market segment with software that needs several iterations of development and integration before its full potential can begin to be realized.  

 
Maturation of the software may not be the greatest challenge however.  There is a larger cultural clash to be considered.  Traditional forensics software is heavily rooted in law enforcement investigatory procedures, rules of evidence and other legal benchmarks. This world is largely foreign to the network administrators and other information security experts that are battling on the front lines to protect their organizations from beach.  I have often argued that the best approach to solving many IT/security related problems is with an investigatory mindset.  Think like a detective in other words.  The intersection and integration of digital forensics into the network culture will certainly help bring this transformation over the next few years.  

Certified Cloud Security Professional Certification (CCSP)

The Certified Cloud Security Professional Certification (CCSP) was announced by ISC2 in conjunction with the Cloud Security Alliance (CSA) this morning.  I have included both the exam outline and brochure for easy reference at the bottom of this article.
The new exam includes six domains and requires 5 years of IT experience, of which 3 years must be in information security. Interestingly the CSA’s existing CCSK certification (Certificate of Cloud Security Knowledge) can be substituted for one year of information security experience.  This protects the CSA’s investment in what to this point has been the only other relevant certification available since the advent of the “cloud”.  The CCSK certification is now clearly positioned as entry level and accessible to everyone at nearly any skill level.

Inline with this announcement was the release of the FrostSullivan-(ISC)²-Global-Information-Security-Workforce-Study-2015.

A quick search of the document returns 29 references to “cloud” which I will explore more in an upcoming article.

CCSP Exam Outline
CCSP Brochure