Tag Archives: risk

Lots of dots

Leave a reply

Per this article:  http://bit.ly/1gJA0yu at Tofino and Bob Radvanovsky:

  • over 1,000,000 ICS/SCADA devices connected to the Internet discovered so far
  • discovering approximately 5,000 new ICS/SCADA connected devices/day

Device types include, but not limited to:

  • manufacturing/production control systems
  • medical devices
  • traffic management systems
  • traffic light control/traffic cameras
  • HVAC & building management systems
  • security/access control to include video/audio surveillance
  • data radios

and to keep it interesting, also found these connected to the Internet:

  • off-road mining trucks
  • crematoriums

In many cases, a web interface is enabled with default credentials in place.

I believe 1,000,000 is only a fraction of Internet-connected embedded/ICS/SCADA devices and that the rate of growth of new connections is way faster than anything that we saw in the PC days.

 

Who’s looking at you kid? — ICS in the office

Leave a reply

The “Internet of Things” is slowly creeping into small businesses and homes and is creating some new privacy and physical safety issues and risks.

powergrid3There has been a lot of media coverage regarding exposure of the national power grid to cyberattack.  This coverage is appropriate and the risk is real.  Many automated systems, aka industrial control systems or ICS, that control various aspects of electricity generation, transmission, and distribution were never intended to be controlled by Internet-connected systems.  In most cases the Internet simply did not exist when the systems were installed.  However, Internet-based control was added after the fact and the intersection (or collision) of two very different types of control systems — traditional industrial control and Internet-based control has created vulnerability and exposure to malicious intent.  The issue is exacerbated by the fact that power systems are a high value target — successful attack and compromise can have a very big effect.

There are also other control systems, besides those dealing with power, that are in many buildings and increasingly in homes and small offices.  These are HVAC (heating ventilation air conditioning) controls, lighting controls, security systems and others.  These also have various levels of exposure to cyber attack.  As an example, Google’s headquarters in Australia was recently compromised.

ICS showing up in home and office & unintended consequences

Some of these control systems that have traditionally been the domain of large buildings and complexes are making their way into homes and offices.

One example is IP-based (Internet controlled) consumer or small business security systems. These systems often provide:

  1. video monitoring over network/Internet
  2. audio monitoring over network/Internet
  3. sometimes 2-way audio over Internet where the person monitoring can send audio transmissions to the monitored area

babymonitorThese devices are inexpensive and easily obtained at Target, Best Buy, Radio Shack or even the local drug store.  They are also very vulnerable to misuse over the Internet.  There was a well-publicized case last month where an IP-based (Internet-controlled) baby monitor was being used by a family in Texas.  When the parents thought they heard a voice in the 2 year old child’s room, they heard a man’s voice saying horrible things to the child through the baby monitor (to include calling her by name).  Someone had ‘hacked’ into the system (‘hack’ is a strong word as it was almost trivial to gain video and audio access).

The parents thought that they were enhancing the child’s safety and well-being and had no idea that they were increasing risk to the child in other ways.

Assumed product sanction

There’s the rub.  When these products are purchased at our local or online stores, there is this assumption of some sort of sanctioning or trust of the product by the store.  Sort of like, “Target wouldn’t sell anything that would hurt me.  Best Buy knows what they are selling.” This is, of course, a bad assumption.

The Internet of Things — devices and sensors talking to each other as well as humans over the Internet — opens up an exciting array of possibilities. But simultaneously it opens up a new ecosystem for misuse, privacy abuse, and even physical safety issues.

When we bring Internet-controlled devices into our office or home environments, we need to do the mental math of how the product could be misused.  What would happen if it failed? What would happen if (when) an unplanned user accesses the system? Because we can be sure that someone else, that may not be well-aligned with our best interests, is doing that math.

photo credit: Argonne National Laboratory via photopin cc

Motivating adoption of cybersecurity frameworks

Leave a reply

US-WhiteHouse-LogoThe Federal government is seeking to motivate businesses that operate our nation’s critical infrastructure systems to voluntarily adopt a Cybersecurity Framework currently under development by NIST (National Institute of Standards and Technology).  These systems include the electricity generation and distribution grid, transportation systems, and drinking water storage and distribution systems.  A preliminary draft is available now here and it will also be presented in two weeks at the University of Texas.

Roughly simultaneously, the Departments of Homeland Security, Treasury, and Commerce have been developing various options to try to provide incentives for companies to voluntarily adopt the Framework.  Per the White House Blog, there are eight core areas or approaches to incentives under consideration.

  1. Engage the insurance industry to develop a robust cybersecurity insurance market.  As discussed in an earlier post, this is not without it’s challenges.
  2. Require adoption of the Framework for consideration of Federal grants related to critical infrastructure or include as a weighted criteria as a part of the grant evaluation process.  This seems reasonable to me, though it only incentivizes those companies applying for Federal grants (but maybe that’s most companies?)
  3. Expedite government service provision for various programs based upon adoption of the voluntary Framework adoption.  Again, seems logical, though this one seems a short step away from changing the ‘voluntary’ part of the Framework adoption.
  4. Somehow reduce liability exposure of companies that adopt the Framework.  Per the White House Blog, this could include reduced tort liability, limited indemnity, higher burdens of proof, and/or the creation of Federal legal privilege that preempts State disclosure requirements. If one were a cynic, that last one could sound like buying a loop hole.  This whole core area of modifying liability seems to be to be pretty tough to manage, particularly to manage transparently and equitably.
  5. The White House Blog says that “Streamlining Regulations” would be another motivator for participating companies.  I don’t get this one.  I don’t understand how the government could “streamline regulations” for one company but not for another.  Sounds to me like interpret the law one way for one company and another way for another company.
  6. Provide optional public recognition for participating companies.  This one seems like a good idea.  Sort of a Good Housekeeping Seal of Approval, Better Business Bureau endorsement, or similar to Joint Commission on Accreditation of Healthcare Organizations endorsement for hospitals.
  7. Companies in regulated industries such as utilities could be offered some sort of rate recovery contingent upon adoption.  This seems reasonable logically, but I would imagine a bear to implement and manage (which is kind of a theme for many of these).
  8. The White House Blog says that “cybersecurity research” is an incentive.  This one I don’t get either. How does identifying weak spots in the Framework and encouraging research in those weak areas motivate Framework adoption? I mean it’s a good thing to do, but how does that make any one particular company want to participate.

While these are proposals for incentives for critical infrastructure companies, I’m wondering if some of these can serve as a model for SMB’s for adoption of cybersecurity standards for SMBs. Adjusting cyber insurance premiums based on participation would seem to be an obvious approach. However, as has been discussed previously, a mature cyber insurance market does not yet exist and it’s not a slam dunk that one will evolve sufficiently fast to address this need.  For SMB’s seeking government grants, to include SBIR (Small Business Innovation Research) grants, compliance with an SMB cybersecurity framework would seem to be a no brainer. Also, optional public recognition for compliance with an SMB cybersecurity framework would seem to be a practical approach.

What would motivate you as an SMB to adopt an established Framework?

Think it’s okay to keep running Windows XP?

Leave a reply

From this Microsoft blog.

This was an eye opener to me.  I would have thought XP infection rates were in the ball park of Windows 7. And this is while XP is still supported!

While there is some obvious self-interest for Microsoft to promote migration from XP, my gut is that this is reasonable data.

What percentage of your computers are still running on XP?

 

Tipping Point

Leave a reply

“Cybercrime is no longer an annoyance or another cost of doing business. We are approaching a tipping point where the economic losses generated by cybercrime are threatening to overwhelm the economic benefits created by information technology. Clearly, we need new thinking and approaches to reducing the damage that cybercrime inflicts on the well-being of the world.”

John N. Stewart, Senior Vice President and Chief
Security Officer at Cisco in Cisco 2013 Annual Security Report.

 

Watering Hole Attacks

Leave a reply

lion_at_watering_hole_Wallpaper__yvt2The biggest innovation in targeted attacks by malicious actors in the past year is in what is called Watering Hole Attacks, according to the Symantec Internet Security Threat Report 2013.

A Watering Hole Attack is indirect in that instead of attacking the target directly, malicious code is placed on sites that the target is known to visit.  According to Threatpost, watering hole attacks have been “used primarily by state-sponsored attackers to spy on rival governments, dissident citizen groups and manufacturing organizations.” Two popular watering hole attacks in the past year have been on the Department of Labor and on the Council of Foreign Relations website.  Watering hole attacks have also been used on Facebook, Apple, and Twitter users when malicious code was inserted on a popular iPhone software development site.

How it works:

Watering hole attacks have multiple phases in their implementation:

  1. Victims/targets are researched and profiled to identify what sites that group (or individual) visit or are likely to visit.
  2. Those identified websites are tested for vulnerabilities
  3. Malicious code is injected on these sites
  4. At this point, the “watering hole” site is infected and ready to deliver malicious code to the targeted visitor when they appear.
  5. Upon visiting an infected site, the targeted visitor is redirected to another site where a separate bit of malicious code is downloaded onto the user’s computer.  At this point, the attacker has control of the targeted user’s computer.

One of the reasons that watering hole attacks are effective is that, in many cases, the watering hole website — that has been infected and is waiting to download malicious code — cannot be “blacklisted” because it is a legitimate site and needs to be operational.  An example is the Department of Labor site.  The site needs to remain available.

 What to do:

The primary activity that SMB’s can do to reduce the risk of watering hole attacks is to keep software current, aka “patched.”. For example, on user computers running Windows, allow Windows to auto update its operating system.  Larger companies might have the resources to employ network analysis and detection as well as data analytics to mitigate the watering hole attack. However, as we know, the expertise, staffing, and time for this sort of activity is typically not available to SMB’s.

 

What work-related (or non-work-related) websites do you or your employees visit?

Avoiding a Tragedy of the Commons

Leave a reply

So maybe SMB Information Risk & Security doesn’t have to be a Tragedy of the Commons.

Admittedly, at initial glance it appears that it has to be. So many SMB’s have so few resources — they rarely have security expertise, typically have very little IT expertise, and probably zero information risk management expertise. Again, the reasons for this are not difficult to see. Their resources are limited and many of the traditional enterprise approaches to risk and security simply don’t scale down cost-effectively. 

What's one more fish? (Image by Earth'sbuddy [CC-BY-SA-3.0] via Wikimedia Commons

What’s one more fish?
(Image by Earth’sbuddy [CC-BY-SA-3.0] via Wikimedia Commons)

This is why risk and security for SMB’s can appear to be a Tragedy of the Commons. As discussed a couple of posts ago, a Tragedy of the Commons as introduced by Hardin in 1968 covers such scenarios as overfishing a portion of the ocean or overgrazing a pasture. Each individual actor, whether fisher getting one more fish or farmer putting one more cow on the pasture, contributes to the demise of the shared resource for all in the long-term while acting on self-interest in the short-term.

Similarly, it was suggested in the post, that the Internet is a shared resource for SMB’s. When an individual business is attacked, 1) the business can suffer itself, and/or 2) the business is used as an attack platform on other businesses which diminishes, i.e. depletes, the utility of the resource. However, in the short-term, the SMB has a hard time justifying risk management and security investment on its own behalf because it requires internal resources bound for marketing, R&D, production and similar.

Solution to Prisoner’s Dilemma Approach

The Tragedy of the Commons idea introduced by Hardin is similar to the Prisoner’s Dilemma  where it is assumed that there is no (or little) communication between actors – prisoners, in this case. While working independently and integrating previous and existing research, Elinor Ostrom  , 2009 Nobel Prize Winner for Economic Sciences (shared with Oliver Williamson), showed that there were many examples of successful sharing of a common pool resource (CPR). She asked the question, “Are rational individuals helplessly trapped in dilemma’s?” To answer this, she studied irrigation systems in Nepal, forests around the world, fisheries, police and government systems, as well as studies in her own laboratory.

Among other things, she clearly pointed out that there was indeed communication between the actors that were successfully sharing a Common Pool Resource. Further, a key component amongst actors in successful common sharing was trust.

Polycentric Governance Success

Follows are a number of her observations from her Prize Lecture entitled, “Beyond Markets and States: Polycentric Governance of Complex Economic Systems” . I am not suggesting that these observations directly map into the Common Pool Resource problem of SMB’s sharing the Internet. However, I do believe that they are worthy of reflection in this context and can serve as the basis for further discussion. (That said, I think the title itself may hold clues to the SMB Tragedy of the Commons problem.)

  • panaceas are potentially dysfunctional
  • small to medium-sized cities are more effective monitors of performance & costs
  • dissatisfied citizens (group members) can ‘vote with their feet’ and move to another group
  • large, incorporated communities can change contracts with external providers, but urban, less structured, districts have no voice
  • Re police in metropolitan areas, large number of direct service producers (e.g. patrol) more efficient while small number of indirect service producers (e.g. dispatch, crime lab analysis) more efficient — that is, most efficient was mix of large and small
  • complexity is not the same as chaos and it is often worth the investment to better understand the complexity
  • groups that did not communicate were more likely to overuse the shared resource
  • 5 types of property rights discovered, not just one (access, withdrawal, management, exclusion, & alienation rights)

Successful shared resource scenarios tended to have these traits:

  • boundaries of users & resource are clear
  • congruence between benefits & costs
  • actors had procedures for making their own rules
  • regular monitoring of resource and actors
  • graduated sanctions (against rule violators)
  • conflict resolution mechanisms
  • minimal recognition of rights by government
  • nested enterprises
  • users/actors themselves are active monitors of resource consumption (i.e. not a 3rd party)

Other observations:

  • users monitoring resource themselves more important than type of resource ownership
  • stronger when local communities have strong rule-making autonomy and incentives to monitor
  • behavioral theorists now looking at actors/individuals where individual is boundedly rational, but can learn
  • learning to trust others is central to cooperation
  • healthy resources have actors/users with long-term interests in the resource and invest in monitoring and building trust

What are parallels between these observations and secure-SMBs-on-the-Internet-Tragedy-of-the-Commons issue? Should government intervene? (these observations don’t make a strong case for it) Should trade groups organize rules? Should small, geographically similar SMB’s develop their own working groups somehow? Should SMB’s across the globe of similar size organize and develop membership rules re Internet participation? Are there other natural alignments amongst SMBs?

How do we increase the safety and security and lower the risk profile of SMB’s on the Internet?