“The nation’s approach to cybersecurity over the past 15 years has failed to keep pace with the threat.  We need to demonstrate abroad and at home that the United States takes cybersecurity related issues, policies, and activities seriously.  This requires White House leadership that draws upon the strength, advice, and ideas of the entire Nation.”

~ A quote from the Executive Summary

 

 

It is probably best to set the stage rather than assume that everyone out there knows what I’m talking about.  Shortly after President Obama took office he directed a 60-day comprehensive, “clean-slate” review to assess US Policies and structures for Cybersecurity.  Outside the scope of the review were those areas that are unrelated to national security or securing the United States’ critical infrastructure.  This type of review has been needed for quite a while and there has been debate as to whether or not the government would actually release anything that is useful or if they would just recapitulate what has already been said just in a different way.  You can find the Cyberspace Policy Review on the White House website.  There is also a nice list of the documents that went into the review. 

 

What follows is a review of the report and my initial impressions:

 

The report declares that cybersecurity risks rank up there with the most important economic and national security challenges of the 21^st Century.  In order to meet this challenge the report declares that:

 

“It is the fundamental responsibility of our government to address strategic vulnerabilities in cyberspace and ensure that the United States and the world realize the full potential of the information technology revolution.” 

~ A quote from the Executive Summary

 

To support this declaration the report mentions a few malicious activities have already disrupted critical infrastructure elements in other countries (the disruption of electric power grids); the exploited financial services (any number of data breaches and fraud cases); and the systematic loss of US intellectual property (Estimated to have a loss of economic value as high as $1 trillion dollars.)

 

In order to address these issues the report breaks down its findings and recommendations into five areas:

 

·         Leading from the top;

·         Building the capacity of a digital nation;

·         Sharing responsibility for cybersecurity;

·         Improving information sharing and incident response; and

·         Building the architecture of the future.

 

Under Leading from the Top, the report calls for the US to be a world leader in addressing the challenges of cyberspace.  In order to do so the report states that in order to realize this goal, leadership must come directly from the White House.  The rational for this is the fact that within the US government only the White House has the authority to coordinate the wide array of capabilities and authorities required to respond to cyber incidents.  In order to support and facilitate this authority the report recommends that cybersecurity policy official be appointed to coordinate the nations cybersecurity related policies and activities.  This individual would be part of the National Security Council (NSC).  Additionally it is suggested that this new official should participate in economic, counterterrorism, and science and technology policy discussion in order to provide the cybersecurity perspective.  A very good idea.  It would go a long way to integrate cybersecurity concerns into all sorts of decision making processes.  The report goes on to talk about the specific duties that this individual should have and how they should strive to facilitate coordination and cooperation within the federal government with regard to cybersecurity. At a high level these duties revolve around the area of reviewing laws and policies (which would lead to new proposed legislation), strengthening federal leadership and accountability for cybersecurity (greater accountability is a good thing), and increase the interaction between the federal government and state, local, and tribal leadership with regard to cybersecurity (a laudable goal). 

 

Under Building Capacity for a Digital Nation, the report covers a few different items and likens the challenge to that which the United States faced after the launch of Sputnik back in 1957. (Okay the analogy was noted in the Exec Summary but it fits in here.)  In order to rise to this challenge the report calls for an emphasis on math and science skills in order to develop a workforce of US citizens to compete on a global level and sustain the leadership role of the United States.    

 

In order to meet these challenges the report calls for the need to build public awareness into the nature and risks involved in the use of cyberspace.  Awareness is always a good thing but it isn’t the end of the road.  Building upon awareness the report suggests an effort to enhance our education system by including cybersecurity and promote scientific, engineering, and market leadership in the IT space.  Recent studies has shown the US is lacking in this regard therefore this suggestion is timely and needed.  If nothing else is implemented within this plan, this one should be.  Once we have these educated people the question arises on where to put them to work.  The report calls for a need to expand and train the federal information technology workforce.  The language here seems to foreshadow a trend to expand the government by recapturing a lot of the IT positions that have been lost through outsourcing to the private sector.  There is even language here to allow for the rotation between assignments in different agencies.  I’m going to be eagerly looking forward to how this pans out because I think it could very well be a boon for the federal workforce. 

 

Under Sharing Responsibility for Cybersecurity, the report acknowledges the fact that the federal government cannot succeed without engaging others.  A national dialogue is called for between the public and private sector.    Some of the language here points to a dialogue that would allow the government to hear the concerns that the private sector has over cybersecurity issues as well as learn more about the difficulties that are faced in order to craft legislation and regulations to support businesses incorporate security to a greater degree. 

 

This interaction isn’t limited to the US either.  The report recognizes that international norms are critical to supporting cyberspace and therefore a strategy needs to be designed to foster international cooperation and collaboration with regard to cybersecurity.  Some of the items mentioned were the development of uniform technical standards and the legal issues that arise owning to the borderless nature of cyberspace. 

 

Under the Creating Effective Information Sharing and Incident Response, the report calls for a form of nationwide incident response capability to include Federal, State, local and tribal governments working together with the private sector and international allies.  This is in recognition that cyber incidents are likely to affect networks and systems across both the public and private sector.  This section also leverages the Cybersecurity Coordinator named in the Leadership from the Top section of the report and calls for the development of a national incident response framework.  This framework would go a long way to avoid the confusion surrounding roles, responsibilities and authority that always comes up when multiple departments and agencies respond to an incident. 

 

In addition to an ability to react to a cyber incident, the report calls for the investment into preventative processes, technologies, and infrastructure.  This could take the form of increased testing, centralized administration, and restricted connectivity for unclassified government systems (Sounds like the TIC will fit in here.)  As I read this I’m beginning to imagine some sort of common federal security operations center.  Apparently it will coordinate with other similar centers on state, local, and tribal levels.  It will be interesting to see how this is actually operationalized.   

 

Under Encouraging Innovation, the report acknowledges that there has been a convergence of technologies where data, voice, and video are now sharing a common infrastructure.  This decentralizes the nature of the technology and allows for innovation.  It also presents a common vulnerability namely the susceptibility of the common infrastructure to a disruption.  Understandably there are national security implications as this infrastructure forms the veins through which the nation’s (and the world’s) economy flows.    As a result the report calls for the government to find ways to incentivize the market to innovate and make more secure products.  It even hints that legal changes in the form of liability considerations could be in the works for companies that come on board.  Conversely increased liability consequences would exist for those who have poor security.  (Both from the Executive Summary Section) Sort of a carrot and stick approach.  I like the combination of incentives and penalties.  In my experience it tends to illicit change greater than the use of penalties alone.   

 

The report then calls for an increase in the research and development efforts of the federal government that would focus on “game-changing” technologies in the effort to enhance the United States’ competitiveness.  These efforts would be in conjunction with industry and academia in order to avoid duplication and leverage complementary capabilities.  While the language indicates that the aim would be to ensure the timely transition of this new technology to market, I get the feeling that the federal government’s role would be to facilitate this collaboration, provide some requirements based upon other cybersecurity efforts (incident response comes to mind) and help define goals in conjunction with national and international standards bodies.  There is no clear indication of this though, it is just my gut feeling at this point.  Items such as supply chain security and emergency preparedness would also be areas of interest in this R&D initiative. 

 

One of the options that were put forth is the establishment of some sort of federal level identity management system.  There are many pros and cons to this option.  The report acknowledges that people may be uncomfortable with this idea and in what I read to be a preemptive move calls for cooperation with the civil liberties and privacy communities. 

 

The report concludes with two forms of action plans, a near-term plan and a mid-term plan.  I’ve copied them below:

 

The Near-Term Plan:

 

1.   Appoint a cybersecurity policy official responsible for coordinating the Nation’s cybersecurity policies and activities; establish a strong NSC directorate, under the direction of the cybersecurity policy official dual-hatted to the NSC and the NEC, to coordinate interagency development of cybersecurity-related strategy and policy.

2.   Prepare for the President’s approval an updated national strategy to secure the information and communications infrastructure. This strategy should include continued evaluation of CNCI activities and, where appropriate, build on its successes.

3.   Designate cybersecurity as one of the President’s key management priorities and establish performance metrics.

4.   Designate a privacy and civil liberties official to the NSC cybersecurity directorate.

5.   Convene appropriate interagency mechanisms to conduct interagency-cleared legal analyses of priority cybersecurity-related issues identified during the policy-development process and formulate coherent unified policy guidance that clarifies roles, responsibilities, and the application of agency authorities for cybersecurity-related activities across the Federal government.

6.   Initiate a national public awareness and education campaign to promote cybersecurity.

7.   Develop U.S. Government positions for an international cybersecurity policy framework and strengthen our international partnerships to create initiatives that address the full range of activities, policies, and opportunities associated with cybersecurity.

8.   Prepare a cybersecurity incident response plan; initiate a dialog to enhance public-private partnerships with an eye toward streamlining, aligning, and providing resources to optimize their contribution and engagement

9.   In collaboration with other EOP entities, develop a framework for research and development strategies that focus on game-changing technologies that have the potential to enhance the security, reliability, resilience, and trustworthiness of digital infrastructure; provide the research community access to event data to facilitate developing tools, testing theories, and identifying workable solutions.

10.                Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.  

 

The Mid-Term Plan:

 

1.   Improve the process for resolution of interagency disagreements regarding interpretations of law and application of policy and authorities for cyber operations.

2.   Use the OMB program assessment framework to ensure departments and agencies use performance-based budgeting in pursuing cybersecurity goals.

3.   Expand support for key education programs and research and development to ensure the Nation’s continued ability to compete in the information age economy.

4.   Develop a strategy to expand and train the workforce, including attracting and retaining cybersecurity expertise in the Federal government.

5.   Determine the most efficient and effective mechanism to obtain strategic warning, maintain situational awareness, and inform incident response capabilities.

6.   Develop a set of threat scenarios and metrics that can be used for risk management decisions, recovery planning, and prioritization of R&D.

7.   Develop a process between the government and the private sector to assist in preventing, detecting, and responding to cyber incidents.

8.   Develop mechanisms for cybersecurity-related information sharing that address concerns about privacy and proprietary information and make information sharing mutually beneficial.

9.   Develop solutions for emergency communications capabilities during a time of natural disaster, crisis, or conflict while ensuring network neutrality.

10.                Expand sharing of information about network incidents and vulnerabilities with key allies and seek bilateral and multilateral arrangements that will improve economic and security interests while protecting civil liberties and privacy rights.

11.                Encourage collaboration between academic and industrial laboratories to develop migration paths and incentives for the rapid adoption of research and technology development innovations.

12.                Use the infrastructure objectives and the research and development framework to define goals for national and international standards bodies.

13.                Implement, for high-value activities (e.g., the Smart Grid), an opt-in array of interoperable identity management systems to build trust for online transactions and to enhance privacy.

14.                Refine government procurement strategies and improve the market incentives for secure and resilient hardware and software products, new security innovation, and secure managed services.

 

In summary I think it is a good plan though I do need to read it through a few more times.  I think it is ambitious and for the most part will be good for the country.  There are a few areas of concern but it is clear that these are intended to be high level ideas and to spark debate which is always a good thing.  This report is also consistent with the proposed legislation that is out there (Namely S.773 the Cybersecurity Act of 2009).  It is almost so consistent that it makes you wonder how much cross over there was between the people advising on the legislation and those conducting and preparing this report. 

 

 

Tags: 60-Day Review, challenges, critical infrastructure, cybersecurity, Cybersecurity Coordinator, Cyberspace Policy Review, mid-term plan, near-term plan, White House

On the evening of April 27 2009 Abdirahman Ismail Abdi entered the facilities of the California Water Services Company (Cal Water).  After presumably parking his car in the employee car park, he entered one building with his electronic key card and proceeded to the office of a senior executive.  Sitting down at the executive’s computer he initiated three separate transfers totaling $9 Million USD from the accounts of Cal Water to an account in Qatar.  Having completed this transaction he exited the office and building and proceeded to another secure building on the Cal Water campus.  Again he used his electronic key card to access the building.  Proceeding to the office of yet another senior executive, he again used that executive’s computer to access the Cal Water’s financial systems and approved the transfer requests he initiated just a few minutes before in the other building.  His work completed he most likely walked out to his car and drove away. 

 

What we don’t know yet is how he accessed the financial systems: did he use his own credentials or did he use the credentials of the senior executives whose computers he accessed?  To me it sounds like he somehow compromised the accounts of the two executives but this is just conjecture on my part.  The next question raised is why he would need two separate computers.  If he had the user account information then couldn’t he just access the financial system from the same machine logging in once to initiate the transfer before exiting and logging in again to approve it? A number of reasons come to mind:

 

·         Perhaps he was trying to frame these two executives;

·         Perhaps the software used to access the financial system required different client modules thus the need for two separate computers;

·         Perhaps the financial system required an electronic certificate from these users that was only stored on their own computers. 

 

I’m sure other reasons come to mind but let’s go with these.  Moving on, how do we know that Abdi is the perpetrator?  Having just broken down how the financial account was accessed I would venture to guess that he did not use his own login credentials.  Cal Water is the largest investor-owned American water company west of the Mississippi River and the third largest in the company.  I think that it is safe to assume that they had some sort of separation of duties controls in place hence the need for two computers in two different buildings.  Again this is conjecture on my part but it does make sense. 

 

But if he used the accounts of those senior executives then how do we know it was him? We believe it to be Abdi because he was observed by janitor in the buildings on the night of the crime and he also allegedly attempted to deposit a check for more than $25,000 USD made out to Cal Water in his own bank account.  Add to this the fact that (1) Abdi put his wife and children on a plane to Germany on April 28^th the morning after the crime and (2) Abdi resigned his position as an auditor for Cal Water just hours before he allegedly committed this crime and things don’t look so good for him right now. (Abdi is currently on the run and is believed to have fled the United States through Canada as of this writing.) 

 

Now this is a good story worthy of a “movie of the week” (or perhaps an afterschool special for young security professionals still in school).  It goes to show that the human element is both our greatest weakness as well as our greatest strength.  Let me explain that. 

 

Going back over the story a few things stand out to me.  The first is that Abdi needed to access Cal Water facilities with his electronic key card.  The second is that he needed to use two separate computers presumably with two separate accounts in order to complete the crime. 

 

Now I have no inside knowledge of the Cal Water environment or systems but it makes sense that if Abdi could have accessed the facilities without his key card he probably would have so they are most likely adequate to protect against unauthorized access by an external threat source.

 

Next he used two separate computers assigned to individuals who most likely had the authority to initiate and approve fund transfers.  Not only did he need their computers but he probably needed and used their login credentials.  How he gained their login credentials is unclear.  Were they written down somewhere; did he eavesdrop them sometime in the past; did he install some sort of key logger software when he was acting in his capacity as an auditor? (The last is a scenario that I made up because it seemed plausible – there is absolutely no indication that this actually happened or is alleged to have happened.) Right now we just don’t know but it makes sense to me that he had to have needed two separate computers and two separate sets of login credentials with the right level of access to the financial systems.  As an auditor it is likely that Abdi was privy to vulnerability information concerning the financial system therefore he probably chose the easiest way to exploit the system.  That tells me that it is very likely that the technical controls on the Cal Water financial system were operating as intended or were at least sufficient otherwise why would he to go the trouble and risk of compromising two buildings, two offices, and two accounts.  (Again, I have no inside knowledge of Cal Water.)

 

So if the physical access controls were working as intended and the technical financial controls were working as intended then the only thing we have left is a failure of the human control – namely the disgruntled insider, that lead to this breach.  It was also the human control that identified the perpetrator.  Remember that a janitor has identified seeing Abdi in the building on the night of the crime after he quit.  Remember also that Abdi tried to deposit a check made out to Cal Water in his own account – not a very smart thing to do. 

 

People will argue that there was also a failure of the termination process and that Cal Water should have disabled his access (physical as well as technical) when he resigned.  What we don’t know is if his resignation was effective immediately or if he gave two weeks.  In many companies it is normal operating procedure to have an employee departing on favorable terms to wrap things up and transfer their work to another person in their final days in a position.  We have no indication at this time that Abdi was a problem employee or that he would have given any indication that he posed a threat.  Remember from what we know he resigned; he wasn’t fired.  There is also every indication that he probably didn’t even use his on login credentials once inside the facility so even if his technical access had been minimized it most likely couldn’t have prevented his use of another’s credentials.   

 

The bottom line is that it appears as if the physical and technical controls were working and operating effectively therefore the solution probably isn’t a technical one.  The human control is what failed.  Yes you could go through and upgrade the physical and technical controls to require multi-factor authentication both for entry into the facility as well as for identification within the network but is that really feasible in a majority of companies?  The need for security must always be balanced with the needs of the business.  Had Abdi actually been able to walk off with $9M then perhaps you could justify that sort of expenditure but in truth he didn’t.  (The account in Qatar was frozen and the funds transferred back to Cal Water.)

 

The insider threat is real and in an economy like this is growing.  Studies such as the 2009 Data Breach Investigations Report notwithstanding, the impact of an insider breach if often greater than that of an external breach.  In this case it was a transfer of money but what if it had been a customer list or proprietary data concerning a major company project.  (We’re speaking in general here not about Cal Water specifically.)  Touting the number of scans detected or intrusions blocked at the firewall don’t mean anything when Joe the employee who has just been laid off walks out with your customer list or the details of your proprietary processes on a flash drive.  Your competition could then undercut your prices or catch up on year’s worth of development in the space of a day. How much is that worth to your company?

 

As much as I don’t like the fact that some studies and reports have tried to downplay the risk posed by outsiders, I don’t want to overplay their importance either.  They are a threat just like other threats and they need to be addressed just like everything else.  What this story shows us is that your security controls need to go beyond the physical and technical realm.  Your staff and management needs to be trained to identify the potential for employees to become disgruntled insiders and take steps to address the issue before it becomes one.  I talked about this a lot in my three part series on Insiders (Part One, Part Two, Part Three). 

 

You also need to recognize that there is no way to completely guard against the insider threat so you need to have a plan on how to deal with it when it does eventually happen.  This takes a coordinated effort across the organization and since it may involve the seizure of evidence by local or federal authorities (should they become involved) you’ll need to account for that.  How should you deal with the media, stockholders, and the public?  What you say in the early days when you aren’t sure exactly what has happened is just as important as what will eventually be said in hindsight. (See my post on Public Relations and Security.)

 

This post has given me the idea that it might be useful to do something on the order of a breach analysis in order to bring up issues that need to be addressed well before an incident happens.  Perhaps I’ll do something like that in future posts. 

Tags: Abdi, Abdirahman Ismail Abdi, Cal Water, California Water Services Company, Data Breach, financial control, financial system, human factor, human factors, seperation of duties

It has been a few weeks since I’ve posted anything and for that I want to apologize.  I sat down and started a few posts but when I really examined what I wanted to write I realized that I was simply rehashing what has been said on a few other blogs.  Realizing that your time is as valuable as mine I decided not to post anything.  I figured that it was best not to say anything rather than contribute to the noise out there on the Internet. 

 

That is not to say that I haven’t been actively thinking about what I could post that would contribute to the overall body of knowledge.  While I have quite a few ideas, they do not always lend themselves to blog post size snippets (and yes I know I push the limit already.)  Those topics are being redirected into a book that I’m in the process of writing so they will see the light of day eventually.  What I’ve decided to focus on right now though is something that I believe is important and should fit the right length. (more or less)

 

The other night I was having a conversation with a friend.  He was sharing with me his frustration over how security was being ignored and reprioritized by people within his organization.  Now this is nothing new of course as he would readily admit and is something that every information security professional faces all too frequently.  His response was to try to have the security responsibilities for everything reassigned to his group so that the security issues would be addressed.  I think that most of us can identify with that sentiment. 

 

On being asked what I thought, I replied with a question of my own.  “Are you asking me for advice or are you just looking for someone to commiserate with you?”  Not really a fair question I know because there is really only one response but we are close enough friends that I thought I could get away with it.

 

I told him that while I could identify with the desire to “just get the job done” I thought it was a bad idea in the long run.  The reason why is that it transfers the responsibility for security away from the system/information owner and onto the security department. 

 

Now some of you are saying to yourselves “What’s wrong with that?  We’re the experts.  If they are not going to listen to us then we may as well just do the job ourselves.”   Am I right?

 

The problem is that by doing this you are transferring the responsibility for security away from the very people who need to be responsible for it.  By transferring it away the problem now becomes yours and not theirs.  They can say “That’s security’s problem, not mine” and you know something – they’d be right and isn’t that the very thing that caused you to want to take direct control anyway? 

 

Security is everyone’s responsibility.  By transferring the problem away from the system/information owners you are basically telling them that they don’t have to worry about it anymore.  They can carry on with the way they have been going by ignoring security.  In effect you are masking the symptom and not addressing the root cause of the problem. 

 

In order for security to be effective everyone needs to play their part.  Everyone needs to take ownership and do their part to contribute in order to be successful.  I believe that many of the problems that we see today are directly related to the fact that we, without realizing it, have actively divorced people from being responsible for security.  We have transferred responsibility for security to ourselves because we “know better.”  It was easier to do that than to convince others that they needed to change the way the way they do things in order to be secure.  We inadvertently “disengaged” people. As a result when we try to re-engage people we run into resistance.  Subconsciously the reaction is “but that’s not my responsibility, it’s yours.  I have enough to do.”

 

To add insult to injury many of the security awareness and training measures that we have taken to date have only made our jobs more difficult.  Now users, system owners, and information owners can say that they know all about security – they’ve had the training.  Most of them can recite sound security practices when asked.  The problem is that, for the most part, they don’t actually behave that way. 

 

We only perpetuate the problem and reinforce the belief that “security isn’t their responsibility” when we reassign security responsibility to ourselves.  That feeds a negative behavior loop when what we really want to do is break that pattern of behavior.  The only way to do that is to stay the course.  This means that we all become educators, mentors, and coaches in addition to being subject matter experts.  True behavioral changes are the result of both positive and negative reinforcement so find ways to make it beneficial for people to “exercise their security responsibility” and not just punish them when they do something wrong.

 

Now this isn’t the easy answer.  It is analogous to teaching your child how to walk.  In order to do so you need to let them fall down a few times.  You offer encouraging words and put them back on their feet again for another go.  Sooner or later they get the hang of it and off they go.  That doesn’t mean that they are out of the woods.  There will be stubbed toes and running into things every now and then.  If we were to give up and carry our children everywhere then they would never learn and we’d be stuck carrying them everywhere.  That isn’t fair to them or us. 

 

 

 

Tags: ownership, responsibility, who owns security