Friday, December 12, 2014

Mergers and Acquisitions and Threat profile

This is a very small post, but I didn't want to put the thought out with the limitations of twitter. I was thinking about challenges around M&A and security and I realized that most of what is usually covered in the discussions about it is related to new assets that could be targeted by attacks and related vulnerabilities. That's quite easy to understand. You buy a company and their servers, with existent vulnerabilities and everything, are now yours to protect.

But as we know, Risk is not only composed of assets and vulnerabilities, right? What about THREATS?

That's something interesting to think about; when you acquire a company, you are not only getting their assets and vulnerabilities, you are also inheriting some of its threat profile.

A lot of information security nowadays is threat oriented. Monitoring threat intelligence feeds, information sharing about active threats, campaigns and TTPs. So, it's natural to consider that the threats that were targeting that company before acquired will continue to exist after the acquisition. For security (should I say 'cybersecurity'?) programs that are threat oriented, it's very important to quickly learn about those threats and ensure that any internal threat intelligence generated by the acquired company is properly absorbed by the acquiring organization.

Remember: you are not only acquiring assets and vulnerabilities, threats are also part of the deal ;-)

Sunday, November 23, 2014

Security and Behavioral Economics - BSides Toronto 2014

Yesterday I spoke at BSides Toronto about security and behavioral economics. I was uncertain about how it would be received and I'm very happy to see that the audience enjoyed it and a few people came after it to ask questions and talk about it. I'm working on an expanded version (yesterday was only 25 minutes) that I hope to present in a bigger conference next year.

My slides and notes can be downloaded here. I'll also post the video as soon as it's posted by BSidesTO.

Monday, November 3, 2014

Survival bias

The cognitive bias of the day is the survival bias:
Survivorship bias, or survival bias, is the logical error of concentrating on the people or things that "survived" some process and inadvertently overlooking those that did not because of their lack of visibility. This can lead to false conclusions in several different ways. The survivors may be actual people, as in a medical study, or could be companies or research subjects or applicants for a job, or anything that must make it past some selection process to be considered further.

It's fairly common (and actually quite wise to do) to use data sources like the Verizon DBIR to understand what are the most prevalent attacks and techniques being used on recent breaches. As I previously said on my last post on the availability bias, we should refer to data resources like that to avoid trying to fix what's in our minds instead of what is actually being exploited by the attackers. However, there's a catch.

If we look at the most recent attack patterns, we will notice that some of the most common vectors of the past have slipped to the middle or the bottom of the list. What does that mean? Does it mean that I should change my focus from SQL Injection and move it to RAM scrappers now?

This is the effect of the survival bias; the exploited vulnerabilities of the past are being fixed, so the attackers are now looking for the next low hanging fruit. That doesn't mean that those vulnerabilities commonly exploited in the past are not an issue anymore, it's just that so many organizations fixed those that they are just not making their way into the list of biggest issues. The list of current most exploited vulnerabilities is made of existing (survivors) vulnerabilities; those that had been fixed won't make the list not because they are not exploitable anymore, but because they are not as prevalent as they used to be. But if they are present in your environment, they will be exploited. Be careful with those lists; the hot stuff from the past will be fixed by everyone and eventually fall to the bottom, but they are still valid targets when left open behind.

Friday, October 31, 2014

Availability bias

So you are reading about the Russians, APT28, and thinking that that's where you should be putting your protection efforts, right? Not necessarily. You are probably being another victim of the Availability Bias:

The availability heuristic is a mental shortcut that relies on immediate examples that come to a given person's mind when evaluating a specific topic, concept, method or decision. The availability heuristic operates on the notion that if something can be recalled, it must be important, or at least more important than alternative solutions which are not as readily recalled. Subsequently, under the availability heuristic people tend to heavily weigh their judgments toward more recent information, making new opinions biased toward that latest news.

This is one of the examples of cognitive biases studied on Behavior Economics. It happens frequently on our risk assessments, specially those in our day to day routine. We exaggerate the risks of anything related to the last tragedy in the news. It happens to terrorism acts, crazy shooters, airplane disasters, diseases (Ebola?) and many other things. Things that are present (available) in our minds tend to look as more likely to happen, skewing our risk perception.

What you should do about it?

First, keep cool under new information. Look at it under the perspective of everything else you already know, and try to use data resources such as the Verizon DBIR to make more rational decisions. The base advice is to ask yourself, "what are the chances of this happening again? how frequently do these things happen? How are the chances if this happening comparing to other threats?". All those questions and thinking in terms of probabilities will help you move into a more rational way of thinking, avoiding the impact of the availability bias.

Friday, October 24, 2014

(One more) long winter of this blog is about to end

I noticed I haven't written anything here since February...that's probably the longest period I stayed without blogging since I started more than 10 years ago. That's unacceptable for someone who wants to stay at the top of his game and also to go beyond the parroting the sounds coming from the echo chamber. I'll definitely work to avoid this to become the new normal.

Now, what is making me put my head out of the sand again is (at least for me) an amazingly interesting topic: behavioral economics. The implications to information security are many, from the most obvious ("user" behavior) to some less evident situations (attacker point of view, risk management, SOC operations, secure coding and development, among many others).

I recently read two books that are a great introduction to the topic:

The Art of Thinking Clearly - Rolf Dobelli

Thinking, Fast and Slow - Daniel Kahneman (Nobel prize winner, seen by many as the 'father' of the field)

There are many others that I hope to add here over time, when I expand on what I've been thinking about this in our Infosec environment. More to come.

P.S. There's also an ongoing online (and free) course about BE at eDX...

Tuesday, February 25, 2014

Security perception is also security

An innocent twitter exchange with Pete Lindstrom earlier today about security perception versus real security made me see a very interesting aspect I haven’t noticed previously: the perception of security (or insecurity) can actually affect real security!

I believe it’s a well known truth that the perception of security for something can be different than the actual security; we were talking about iOS devices security. A lot of people see iPhones as “unbreakable” (although it’s not an Oracle product :-P), but the recent discovered issues (gotofail, touch snooping vulnerability) show that’s not really the truth. In the same way, it’s pretty common to see people considering Android devices the closest thing to swiss cheese, when in fact most of the malware and attacks for that platform rely on rooted devices or installing apps from unknown/untrusted sources. I still believe Apple is in a better position as it has a tighter control over what can run on iOS devices than Google (or device manufacturers) for Android, but I don’t see the difference as big as the general industry perception. It’s a very similar discussion to the OS wars between Windows and Linux from a few years ago.

What made the exchange interesting was that we realized there is feedback link between security perception and actual security. The notion that a platform is more vulnerable or less secure will make threat agents target that platform, raising the threat level and consequently the risk for that platform. The opposite is also true; being perceived as a secure platform actually makes it more secure (in the sense of lower risk)!

I think that it also explains why we don’t see Mac malware numbers increasing at the same rate as their market share; it will certainly increase as it has became a more attractive target, but the perception of OS X being a more secure platform (doesn’t matter if it’s true or not) discourages malware creators to focus on that platform. Mainframes are another great example of how perception keeps threat levels low.

Another interesting question derived from this notion: does security 'advertising' and PR stunts reduce risk by reducing threat agents motivation levels?

Wednesday, January 1, 2014

What can we learn from the NSA leaks?

2013 was the year of the NSA leaks.  A ton of data about what that agency is doing in the cyberspace was made available, and everyone is trying to figure out what everything means. I believe the answer will vary a lot depending on who is looking for that.

For other governments: I believe there are two aspects to be considered by other governments. First,  about what the US is doing in this field. The other countries should use all this to define a target of capabilities to be developed.  After all, if the Americans are really capable of all that, they should work to achieve similar capabilities, for intelligence and 'cyberwar'  perspectives.

The other aspect is the defence side.  The other governments now have confirmation about at least one government actions and capabilities. It doesn't matter if they are enemies or allies; it is a reasonable assumption that the US is not the only one doing all that stuff. So,  they need to review they technology choices, from hardware and software vendors to service providers and even encryption algorithms. Apart from that,  they should also invest heavily on the detection capabilities. No system should be considered 'unbreakable' and the assumption that the enemy is already inside has never been so appropriate.

For the regular security guy: if you work for a company that is not strategic for its home country, there are not many changes in how security should be done. NSA may have the ability to peep in your stuff,  but probably they are not interested in it.  Now, pay attention to all the capabilities they have and keep in mind that if they can do it, others, including cybercriminals, could also do it. Consider all those leaks as a gigantic proof of concept of how technology can fail in terms of security and act accordingly.

(before you give a big breath of relief, stop and think; are you really working for a 'non-strategic' business? Go read the APT1 report from Mandiant, just to be sure, before you skip the next paragraph)

For those working for strategic businesses: Time to think carefully about your security strategy. We know now not only that governments are actively hacking but also that they are doing that for economic reasons too (APT1, NSA and Petrobras). So,  you are a target and they have an enormous skills and tools advantage.  What to do?

It's time to focus on early detection and response. Based on what we've seen about their capabilities it will be very hard to prevent them to break in, but you should still be able to find out strange things happening to your network and systems. Put your focus on that.