2
Apr

Frequency and intensity of successful malicious exploits of online data call for a pooling of information between impacted parties

2-Color-Design-Hi-Res-100px-widthWhen hackers obtain otherwise legitimate credentials to online sites and the data repositories they contain, the likelihood of success for their efforts to depart with data they do not own is much greater — perhaps unstoppable. Therefore it makes sense for parties impacted by these attacks to pool their information so a new level of defense can be promptly implemented against further successful exploits with the same credentials.

Unfortunately this is the condition apparently in place in March 2015. On Sunday, March 29, 2015 the online edition of the Wall Street Journal ran a story written by the Associated Press titled Some British Airways Frequent-Flier Accounts Hacked (http://www NULL.wsj NULL.com/articles/some-british-airways-frequent-flier-accounts-hacked-1427598805?KEYWORDS=british+airways). Notable in the article is mention of what appears to be the method the hackers used to access the data: “The breach apparently was the result of a third party using information obtained elsewhere on the Internet”.

Then, through what looks like a brute force method of simply trying credential set after credential set against the access control method at the perimeter of the British Airways web site, the hackers eventually succeeded in their effort. Tellingly, the writers from the Associated Press note this attack is, apparently, the fourth such recent attempt. The other attempts compromised data owned by the “Hilton and Starwood” hotel brands and “United and American airlines”.

It is very hard to defend a data repository against requests for access based on legitimate credentials. Sure processes can be implemented to detect brute force access methods and to deny access — even to holders of legitimate credentials — when they are presented within the context of a brute force attack. But what if the “automated process” mentioned by the Associated Press amounted to a substantially more sophisticated tactic than a rapid, repeated completion of an online site access form? It would be much harder to detect a brute force attack should it transpire over days, or even weeks.

Regardless of how one argues data owners should defend themselves against these types of attacks, the substantial value of implementing data consortiums — literally groups pooling data about attacks — as a defense method should pass muster. One can argue law enforcement agencies already provide this type of knowledge “beyond the wall” and should be able to play this role. But there is another aspect to the potential of a data consortium for online data security, a similar opportunity to the concept of Key Risk Indicators (KRIs) as it has been applied to efforts to implement Operational Risk Management (ORM) solutions for global financial businesses. This application of a data consortium will not fall within the purview of a decision to look to law enforcement for “environmentally relevant” data about similar data security breaches. I have some experience with ORM solutions including KRIs and would be interested to speak with readers with an interest in hearing further about this notion. Please contact me to discuss.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

26
Feb

Online businesses looks to be on course for a negative event of even greater magnitude — stay tuned

2-Color-Design-Hi-Res-100px-widthIt is one thing to lose something of great value while covered by a comprehensive insurance policy, and quite another to be in the same position, albeit without the coverage.

So adding the insurance policy looks to be a no-brainer, right? Not so fast. According to an article titled Cyber attack risk requires $1bn of insurance cover, companies warned (http://www NULL.ft NULL.com/intl/cms/s/0/61880f7a-b3a7-11e4-a6c1-00144feab7de NULL.html?siteedition=intl#axzz3SrQZqbSm), written by Gina Chon and published on Thursday, January 26, 2015 by the Financial Times, businesses are not only finding a lot of obstacles on their way towards securing the extent of insurance coverage they need to cover online commerce, but (and this is even more worrisome) are also exhibiting a lot of reluctance to even make the effort. If we are looking at a wave of complacency, then perhaps we are looking at a major negative event with enormous financial impact all around in the making.

Back in October 13, 2013 we published a post to this blog titled Online Security Problems are too Pressing for the Public to Continue to Ignore. The position I have always taken on topics like the one Chon treats in her article for the FT is as follows:

  • the “mono protocol” data communications world we have, perhaps inadvertently, created by vigorously pushing further expansion of markup language code at the application layer with Ethernet over TCP/IP as the underlying pipe is very very dangerous. The old world of multiple data protocols running across wide area networks made a lot more sense and was, inherently, safer

But my position, at present, is “so be it”. The internet, for better or worse, as it is presently technically constructed is here to stay. The question ought to be how do we get this “genie back in the bottle” and mitigate the risks associated with doing business online.

Apparently businesses are not willing to take the steps required to accomplish this critically important step. Underwriters seem not to want to handle the risk and the insured are not willing to pay the cost for coverage. This is a potentially dangerous condition. One would hope all of the parties involved will see their way through to a mutually satisfactory conclusion. The sooner the better.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

11
Mar

Further Comments on Ginni Rometty’s Keynote at Mobile World Congress, 2014

During the last 15 minutes of Ginni Rometty’s Keynote Presentation at Mobile World Congress, 2014 (http://www NULL.youtube NULL.com/watch?v=0-M4h1gt2VY), some viewers may catch how IBM is branding its Watson Cognitive system as a modern mainframe computer. Rometty also underpinned some skeptical comments about cloud and mobile security with a prediction. Sooner or later markets will wake up to recognize the importance analytics plays for a truly effective security policy for data.

Does IBM’s Watson Benefit from a Mainframe Brand?

I don’t think IBM’s Watson “cognitive computing system” benefits from a mainframe branding effort. Rometty presented her audience with an example of how Watson can benefit retail travel consumers, and then, at almost the same moment, pointed to what I take to be a much bigger story: how Watson can provide businesses in the online search market with a much more effective tool than some of the leading search tools on the market today. The two stories do not share the same scale. IBM MARCOM should spend more time portraying the really big applications for this technology (meaning for the online search market) and less time on the direct-to-consumer story.

Successfully branding Watson is a big challenge, especially given the deep commitment IBM has made to the launch of this product. I don’t think all of the publicity IBM has created around the Jeopardy Game Show application for this technology will pay off. But the minute or two Rometty spent on the comparison of Watson’s ability to serve up the ABS avalanche rescue system as something travelers may want to acquire before embarking on a trip to Patagonia was much more compelling, especially when she noted the other online search tool (not named) served up 750 thousand results for the ABS acronym.

Is Big Data Analytics the Best Solution for Online Security

Rometty predicted data analytics will prove to be the solution for truly effective online security systems in the future. But is this something new? I don’t think so. Almost any of today’s best of breed online security tools includes a database repository for information, and controls built on data analytics. I think she would have been more effective had she cited some examples of how IBM’s analytics products promise to bring something truly new to this market.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2014 All Rights Reserved

26
Nov

CloudShare May Offer A Better Environment for Data Security Threat Simulation

As data communications takes on an ever increasing set of mission critical roles for businesses of all types, and sizes, access to a method of simulating data communications problems, of all types (regardless of whether they arise from accidents, or from malicious activity) must be provided to any/all stakeholders within an organization as a cornerstone of operational risk management.

CloudShare (http://www NULL.cloudshare NULL.com) is an example of the type of highly flexible, off premises, cloud computing solution capable of providing businesses with a “sanitary” method of simulating data communications disruptions. Any suitable venue for this type of testing must offer users

  • a method of precisely simulating “real world” office computing environments, including hardware, operating systems, and applications
  • support for team collaboration on projects
  • and rapid set up and tear down for targeted environments

CloudShare’s TeamLabs (http://www NULL.cloudshare NULL.com/solutions/development-testing/features-teamlabs) subscription offer meets, or exceeds each of the above criteria.

Stakeholders in this effort must include not only IT staff, but also key personnel from Line of Business (LoB) units. Online commerce activities, social media efforts, mobile messaging, are usually owned and operated by LoBs (with the blessing and support of IT). Regardless of the look and feel of any of these electronic activities, at the network layer each of them relies on healthy data communications. So the effort to safeguard data communications is a critical management activity for everyone with an interest in the success of these features of the business.

In August of this year, Gunter Ollmann authored an article, “The Increasing Failure of Malware Sandboxing (http://www NULL.darkreading NULL.com/attacks-breaches/the-increasing-failure-of-malware-sandbo/240159977), which was published on the Dark Reading website. Mr. Ollmann points out some limitations in the usefulness of “dynamic sandboxing” techniques, which have grown in popularity as data communications has become monolithic with Ethernet at the network layer and Hypertext Markup Language (and its siblings) at the presentation layer.

From an operational risk management perspective, “dynamic sandboxing” amounts to scenario testing. The points Mr. Ollmann makes illustrate the limitations of the usefulness of the scenarios depicted via this method. The rapid expansion of the Internet, together with the dramatic expansion of online data communications to include what I refer to as small, smart, mobile devices, have both pushed “dynamic sandboxing” rather far along a path to obsolesence.

Mr. Aviv Raff, in an article published on November 4, 2013, titled Cloud-Based Sandboxing: An Elevated Approach to Network Security (http://www NULL.securityweek NULL.com/cloud-based-sandboxing-elevated-approach-network-security#!) makes a case for cloud-based sandboxing as a superior method of building truly useful scenarios for risk management. I concur with Mr. Raff’s point. To reiterate, an enterprise account at CloudShare can certainly be configured to provide a business with an opportunity to test various data communications problem scenarios safely, off premises, where they ultimately belong.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

5
Sep

U.S. Financial Services Continue to Scramble for an Effective Operational Risk Management Methodology

Very large financial services businesses based in the United States continue to struggle as they seek to implement genuinely effective operational risk management methods to safeguard the integrity of mission critical applications.

In late 2012 J.P. Morgan disclosed a substantial trading loss attributable to the uncontrolled activity on a team of stock traders. On August 21, 2013, the NASDAQ stock exchange was forced to cease activity for over 3 hours during the trading day as the result of technical malfunctions (the specific problems were not disclosed to the public as of the time this post was written).

Nevertheless, acknowledged experts agree the exposure created by this absence of effective controls is very large. So why is it so difficult for effective controls to be implemented?

We would not presume to present a simple answer to this question. When we consider the frequency of these problems, along with examples of a worrisome attitude in the financial services industry, we can’t help but envision the problem as something very complex. The worrisome attitude can be found in some recently published notions about data security, and, perhaps, risk management itself, as somehow less important, less mission critical than other, more pressing tasks required to keep operations running.

We hope our readers will agree, categorizing this industry attitude as “worrisome” is an obvious understatement. The kind of complete breakdown in proper functioning of financial markets as the NASDAQ shutdown of August 21, 2013 unfolded, is absolutely the kind of black swan event the entire financial services industry should be dedicated to avoid.

The sunny side of this story, if there is one, is the undiminished opportunity still before ISVs who want to enter this market. The market still needs effective operational risk management solutions. ISVs with the technology required to satisfy these market needs will undoubtedly be handsomely rewarded for their efforts.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

19
Jul

Markets Seem Oblivious to Security Risks of Small Smart Mobile Devices

On July 5, 2013, the TechCrunch website posted an article authored by Ms. Natasha Lomas, “Android ‘Master Key’ Security Hole Puts 99% of Devices At Risk of Exploitation” (http://techcrunch NULL.com/2013/07/04/android-security-hole/). Despite our hope they will react otherwise, we think consumer markets will continue to operate “as usual” and continue to purchase small, smart mobile devices built on the Android O/S.

As we wrote over a year ago, we think this complacent market attitude will only change if financial institutions retreat from their long standing commitment to absorb the cost of any breaches of online security systems, and start passing them through directly to consumers. We don’t see these institutions changing this position any time soon. Further, the well publicized intention of the U.S. Dept. of Defense, to protect the security of U.S. Ethernet networks and websites, reinforces the reasonableness of our assumption.

One would think an article like this one, by Ms. Lomas, would prompt consumers to look closer at competitive devices from Microsoft®. After all, Windows 8 is a proprietary operating system. Further, we think Microsoft has expended a considerable energy over the last year, or more, to build a brand for itself as THE most secure cloud services provider. But the continued misses of Microsoft’s public relations and marketing communications efforts for consumer markets will likely undermine any advantage they would otherwise gain from this article.

Pricing also plays a role here. Tablets and smartphones built on the Android O/S are, for most consumers, the least expensive option. In contrast, Microsoft’s Surface Pro tablet is the most expensive “stock” option (the 64GB version is about $70.00 more expensive than a comparable iPad). Consumers will simply expect each Android OEM to provide them with a fix for the security hole publicized in Ms. Lomas’ article. But even if this hole is plugged, others may soon come to light.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

10
Jul

Opportunities for Early Stage ISVs With Security Solutions for Industrial Process Control Systems

The second quarter, 2013 ICS-Cert Monitor Report from the U.S. Dept. of Homeland Security reports on Brute Force Attacks on Internet-Facing Control Systems (http://ics-cert NULL.us-cert NULL.gov/sites/default/files/ICS-CERT_Monitor_April-June2013 NULL.pdf). The report notes a highly significant increase in the number of these attacks. “In fiscal year 2012, ICS-CERT responded to 198 cyber incidents across all critical infrastructure sectors. Of these, 41% were in the energy sector compared to all other sectors.” But “[I]n the first half of fiscal year 2013, (October 1, 2012–May 2013), ICS-CERT has responded to over 200 incidents across all critical
infrastructure sectors. The highest percentage of incidents reported to ICS-CERT occurred in the energy sector at 53%.” (all quotes are excerpted from the second quarter 2013 ICS-Cert Monitor Report published by the U.S. Dept. of Homeland Security. A link to this report has been provided above).

Early stage ISVs with off-the-shelf solutions for control systems data security should be looking at a highly motivated market for the remainder of 2013, 2014, and even 2015. The solutions market participants need must safeguard Ethernet networks and applications written for web browsers.

Early stage systems integrators will not likely share the benefit from this market trend. A combination of a requirement for firms with high level security clearances, and the traditional purchase behavior of businesses in this market (they tend to all use the same systems integration resources), will put a damper on the potential return for systems integrators.

We think there is also an opportunity in this market trend for computer hardware vendors. A lot of control systems operators will be looking for hardened terminals–thin clients without local hard drives or ports for peripherals.

The increase in the number of attacks on networked data communication systems was likely matched, or exceeded by the number of control systems operators implementing Software as a Service (SaaS) cloud offers. In our opinion we think this market is experiencing double digit growth, year over year. Cost savings simply trump security concerns for heavily regulated energy providers, exploration companies, and other public utilities.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

5
Jul

Constraining Systems Administrators with a Two Man Rule May Not Solve Data Leak Problems

On Sunday, June 23, 2013, General Keith B. Alexander, Director of the U.S. NSA, publicly announced the implementation of a new control to manage the risk of another Edward Snowden emerging and absconding with classified information — a “two man rule”. We found a definition of this operational risk management concept on Glenn Brunette’s Event Horizon blog on Oracle.com (https://blogs NULL.oracle NULL.com/gbrunett/entry/enforcing_a_two_man_rule).

Popular technology product themes, including big data, and Software as a Service (SaaS) cloud computing offers, will lose a lot of their attractiveness for larger organizations if a reliable method can’t be found to control the risk of a new Edward Snowden compromising yet another set of operational risk management controls and getting away with a lot of classified information. So we maintain a keen interest in this story.

We don’t think the “two man rule” will be a long term solution to this problem, for a few reasons:

  1. IT Systems Administrators have to move quickly to fix problems. Slowing them down by requiring a sign off by another systems administrator prior to implementing a fix will likely lead to dissatisfied users and organization-wide impatience with risk controls
  2. What’s to stop two systems administrators teaming up on an effort to data security?

A better idea is to analyze the current process of granting security clearances to make it substantially more difficult to obtain top security clearances. If these clearance procedures can be hardened, the problem will be controlled simply by denying admission to individuals capable of subverting data security measures. Why let these people into secure environments in the first place?

The “two man rule” is the type of control to implement in response to a problem. But we need to implement proactive controls, capable of eliminating the possibility of problems arising at all. These controls should be available, and used within staff selection procedures for IT roles requiring security clearances.

Ira Michael Blonder (https://plus NULL.google NULL.com/108970003169613491972/posts?tab=XX?rel=author)

© IMB Enterprises, Inc. & Ira Michael Blonder, 2013 All Rights Reserved

10
Aug

As the Result of Cloud Conundrum Securing Enterprise IT Data is an Exponentially Larger Market than Previously Thought

As the result of a massive amount of daily editorial content on the topics of so-called “cloud” computing and “software-as-a-service”, we think that enterprise IT organizations are under increasing pressure from business lines to permit end user access to online processes which, in all likelihood, are not only insecure, but dangerous as they represent potential gateways back into enterprise data centers, themselves. Therefore, we think that innovative tech businesses with security solutions for these cloud computing venues are looking at a promising near term future.

The average enterprise CIO has developed something of a blind eye to this ever increasing set of positive editorial content about the ultra low cost of cloud computing as well as the rich set of benefits that it can deliver to end users who can do all sorts of sophisticated computing tasks through simply a web browser and an online account. On the other hand, they cannot afford to ignore the growing number of alarming reports of serious vulnerabilities in cloud computing solutions, which threaten to open entire enterprise IT organizations to malicious intrusion.

Therefore, innovative tech businesses with security solutions for enterprise IT markets have a decent chance to make some headway as the result of what we refer to as the cloud computing frenzy. Of course, the marketing communications themes for these products must be carefully crafted to talk to cloud and/or SaaS topics in a credible manner, but there should be no risk in emphasizing security vulnerabilites.

Marketing and sales teams for cloud security solutions targeted to enterprise IT should include individuals with a proven track record of success in these enterprise IT markets. Perhaps no other type of IT product benefits more from a foundation of a trusted relationship between vendor and buyer than security products. If an individual with a suitable track record is not presently included in the management team, nor within sales or marketing staff, then it will make sense to engage with an individual of this caliber on a consulting basis, in order to secure a suitable endorsement.

If you are going to market with a security solution for enterprise IT, but are unsure as to how best handle marketing communications for your product you ought to consider a firm like IMB Enterprises, Inc. to help you along. You can contact us online or telephone us at +1 631-673-2929. The first 15 mins of any consultation is always on us.

© IMB Enterprises, Inc. & Ira Michael Blonder, 2012 All Rights Reserved