Security Program Hacks – Using Security Liaisons as Force Multipliers for your Security Program. (Part 1)

The problem is well rooted and endemic.  Security organizations and their leaders are overwhelmed, understaffed and facing an unprecedented volume of new threats both inside and outside their organizations.  A natural human reaction to such conditions is to retreat, become reactive, siloed and isolated.  Effective security leadership requires we counteract these conditions by finding solutions in spite of organizational (and personal) limitations.

Enter the “Security Liaison”.  Initially the security liaison can be viewed as nothing more than a “security contact” for an organizational unit, project or application.  A designated individual that can be contacted in the event of an incident or other security related issue arises.  Nothing interesting or compelling at this stage, innocuous and innocent, right?

Instead of being the end of the story though, consider it only the tip of a land and expand policy. This is where it starts to get fun.  Ever wanted to use “scope creep” to your advantage? (for once) 

Stay tuned.  Part 2 introduces techniques and tactics to transform the security liaison from a passive “contact” to an active participant in your security efforts. 

Hacking Cars and Human Drivers Sucking

I spent most of the last week at Black Hat/Defcon/BSides Las Vegas contemplating a future filled with Internet enabled vehicles, infrastructure and hackers with ill intent.  The lead up to Black Hat 2015 again provided fodder for the mass media as researchers on their path to fame rolled out more than a couple of high-profile hacks against different automakers:
Jeep : https://blog.kaspersky.com/blackhat-jeep-cherokee-hack-explained/
Tesla: http://www.itproportal.com/2015/08/06/tesla-model-s-hacked/
Ford/Toyota: http://www.cnet.com/news/car-hacking-code-released-at-defcon/

While it is concerning that these types of vulnerabilities exist I would argue that a world of vulnerable smart vehicles is far safer than continuing to allow humans to drive unassisted.

Over 30,000 Americans die annually on our roads, the vast majority of these attributable to human error.  Face it, we suck at driving.

Obviously my “bury the head in the sand” approach to making vehicles less vulnerable is not a strategy that even I would endorse over the long-term.

Good thing there are folks like “I am the Calvalry“.  This org with probably the best name ever has produced the Five Star Automotive Cyber Safety Framework (PDF) and are spearheading a grass-roots campaign to encourage automakers to engage in a collaborative approach to finding solutions to their security problems.

While I remain optimistic that this effort has at least a snowball’s chance in hell of gaining traction I am concerned that the silos that exist across manufactures will not allow for a collaborative approach to solving this particular security challenge.

I hope to be proven wrong.

Culture Clash – Digital Forensics and Infosec

This week I will be traveling out to Las Vegas to attend the Computer and Enterprise Investigations Conference (CEIC) the largest digital investigations and forensics conference in the world.  A few short years ago this may have seemed an odd destination for a CISO of a cloud service provider but this is precisely why I am excited to attend.  

There is a very interesting convergence taking place that I will be exploring.  This convergence is the integration of digital forensics tools into the mainstream enterprise, but more interestingly the network/cloud.  Forensic tools, techniques and tactics show great promise when used in conjunction with existing security tools to reduce the time from breach to discovery, assist in remediation and ultimately reduce the entire incident response life-cycle.  At least this is the kool-aid that companies like Guidance Software (owns CEIC) and AccessData would have us drink.  This is a developing market segment with software that needs several iterations of development and integration before its full potential can begin to be realized.  

 
Maturation of the software may not be the greatest challenge however.  There is a larger cultural clash to be considered.  Traditional forensics software is heavily rooted in law enforcement investigatory procedures, rules of evidence and other legal benchmarks. This world is largely foreign to the network administrators and other information security experts that are battling on the front lines to protect their organizations from beach.  I have often argued that the best approach to solving many IT/security related problems is with an investigatory mindset.  Think like a detective in other words.  The intersection and integration of digital forensics into the network culture will certainly help bring this transformation over the next few years.  

CoreOS and Docker – Game-changers that security pros should know about

Key Takeaways:  CoreOS and Docker will fundamentally change the way SaaS companies deliver software.  CoreOS and Docker used together provide a compelling package by combining an “operating system as a service” and an application container to run applications in isolation from the operating system. Security professionals should know that the introduction of these technologies will mitigate some traditional risks while creating others.
CoreOS in particular is interesting in the way that it handles operating system updates and patches using an active/passive partition scheme.  More information here.

The ability to sanely roll operating system updates into deployment lifecycle will solve a major pain point for SaaS operations. The dirty little secret that is while many agile shops are starting to push code out “continuously”, operating systems are often left either untouched or unpatched.

CoreOS will help make “infrastructure as code” less buzzword and more reality in the not too distant future.