© Critical Informatics Inc., All Right Reserved 2016

Threat Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers,   well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle   scars   with   pride   and   are   grizzled   enough   to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100
Back   in   the   early   1990s,   Mike   Hamilton,   an   acquaintance   made   through   a   shared   obsession   with   USC   Trojan   Football, asked   me   if   I   wanted   an   email   account.   This   is   before   the   Internet   as   we   know   it   today,   a   world   of   300   baud   (300   bits per   second,   the   standard   connection   speed   today   is   3.3   million   times   faster!),   acoustically-coupled   (essentially   a cradle   for   the   handset   part   of   the   old   rotary   dial   phone),   dial-up   modems   that   we   used   to   connect   to   Bulletin   Board Systems (BBSs). That was how the world at the time of about 100,000 or so of us went online. Over   two   decades   later,   that   single   question   led   to   where   I   am   today,   to   where   all   the   work   that   Mike,   our   colleagues, customers, and associates have collectively taken us.  This   October,   M.   K.   Hamilton   &   Associates,   LLC   is   becoming   Critical   Informatics   Inc.   This   is   where   we   were   meant   to be,   the   result,   the   end-point,   the   objective,   after   taking   that   first   step   seemingly   a   lifetime   ago   now.   In   1994,   our   career in   Information   Security   was   two   computer   geeks   with   science   day   jobs   pulling   all-nighters   trying   to   conjure   security products out of our imagination.  Some   things   that   were   true   then   are   unheard   of   today   -   Firewalls   were   C   code   you   tweaked   yourself   and   compiled   on FreeBSD   systems.   Linux   was   still   virtually   unknown   outside   of   academic   circles   and   folks   who   watched   the   Linus Torvalds   /   Andrew   Tanenbaum   debate   on   Usenet.   Ironically,   much   like   now,   security   automation   then   was   cobbled together   with   AWK   and   SED   and   Turbo   C   Shell   (Tcsh)   or   Bash   scripts   --   funny   how   other   things   never   change   no matter how long ago we adopted them!

Read More

KEEP ON TRUCKIN': WHAT A LONG, STRANGE TRIP IT'S BEEN   9/24/2015 By Fred Langston CISSP CCSK EVP, Professional Services
Critical Insight. It’s what we provide, and the name of our next generation product, just released July 31. The   name,   the   product,   the   new   capabilities   and   a   new   perspective   on   how   to   achieve   all   of   it   seemed   worthy   of explanation ... and maybe a fun puzzle. As   scientists   and   practitioners   working   in   an   infant   science   like   information   security,   we   find   that   we   spend   a   lot   of time   looking   at   more   mature   science   for   models   and   techniques   that   we   can   use   to   “see   further,   by   standing   on   the shoulders   of   giants”   to   both   paraphrase   and   mangle   Sir   Isaac   Newton.   We   find   ourselves   reading   textbooks   and   taking classes in statistics, numerical analysis, natural language processing and epidemiology, among other things. When   presented   with   the   problem   of   modeling   an   approach   to   the   very   real   problem   of   applying   a   mix   of   signature, anomaly,   behavioral   and   reputation   methods   to   the   vast   amounts   of   data   available   from   modern   networks   and systems   –   our   team   kept   finding   themselves   making   great   progress,   then   retracing   their   steps   to   accommodate   new information, new threats or just plain new thinking. Clearly,   a   state   of   continuous   re-design   is   not   a   sustainable   as   a   service   supporting   regional   critical   infrastructure   in the   face   of   constantly   evolving   threat   and   stream   of   successful   attacks.   We   needed   to   find   a   giant’s   shoulder,   and   we found one in logic puzzles.

Read More

Knights and Knaves, and CRITICAL INSIGHT   8/01/2015 By Mike Simon CISSP CTO
"Know your enemy and know yourself, and you will win a hundred battles."  - Sun Tzu from Art of War The   man   and   his   work   are   legend,   and   for   good   reason.      Inspired   by   the   sage,   I've   explored   this   concept   and   applied his   theories   at   some   of   today's   largest   companies.      And   if   you've   heard   me   or   read   anything   I've   written   in   the   last   few years,   you'll   recognize   the   following   interrogatory   statement   which   is   the   above   stratagem   in   modern   cyber-security parlance:      Do   you   know   how,   with   what   resources,   and   where   you   will   direct   your   incident   response   team   when   an active attack has been detected against your organization?  Short   shrift   is   being   paid   to   the   basic   task   of   understanding   one's   own   attack   mitigation   and   response   capabilities.      We all   finally   agree   that   it's   a   matter   of   when   and   not   if   we   are   going   to   experience   a   breach.      So,   even   if   we   know   our threat   horizon   well,   no   security   technology,   architecture,   practice   or   policy,   at   least   today   and   within   my   lifetime,   will ever   be   fully   resistant   to   cyber-attacks.      Knowing   this,   isn't   it   paramount   to   fully   understand   exactly   what   your organization should be doing when under active attack? What   I   believe   is   commonly   missing   from   IR   planning   is   a   way   to   provide   tactical   guidance   once   an   attack   is   underway on   who   should   be   responding,   what   activities   should   be   prioritized,   what   tools   should   be   used,   and   most   importantly, what    specific    defensive    capabilities    are    going    to    be    most    effective    against    the    specific    type    of    attack    being experienced.      Fighting   a   cyber-attack   without   knowing   your   own   response   capabilities   is   comparable   to   sending   a field   general   out   to   command   an   army   without   telling   the   commander   what   weapons   his   troops   have   and   how   well they   can   use   those   weapons,   nor   any   knowledge   of   the   enemies'   weapons   the   troops   will   face   in   battle.      The   corollary to   this   is   the   fact   that   many   activities   carried   out   in   a   standard,   well-constructed   IR   plan   may   have   little   or   no   effect   on stopping   the   attack   and   all   the   associated   damage   because   we   cannot   provide   specific,   appropriate   responses   a priori for a future attack.

Read More

How Will You Respond when You're Under a Cyber Atack?   9/24/2015 By Fred Langston CISSP CCSK EVP, Professional Services
Image courtesy of personalexcellence.co
Part One: What are the “7012” regulations? Defense Acquisition Regulation Supplement 252.204-7012 In   November   2013,   the   US   Department   of   Defense   issued   final   rules   to   its   defense   acquisition   regulations.   Defense Acquisition   Regulation   Supplement   (DFARS)   section   252.204-7012   now   requires   contractors   to   safeguard   information that   is   deemed   Unclassified,   but   controlled   (called   UCTI),   within   their   IT   systems   in   a   manner   compliant   with   standards issued earlier in 2013 by the National Institute of Standards and Technology (NIST). The   7012   regulations   also   require   immediate   reporting   of   any   incident   or   threat   to   UCTI   that   is   carried   on   or   held   in   an IT   system.   The   NIST   is   the   cognizant   agency   for   Classified   standards   and   operational   regulations.   The   regulations themselves   are   a   part   of,   and   a   driver   to,   a   set   of   complex   problems   for   industry   —   presently,   with   risk   being transferred   away   from   DoD   to   its   contractors   who   will   find   risk   rebounding   to   them   via   their   “cyber”   insurance   policies. This    two-part    article    isn’t    intended    to    fan    the    flames,    but    rather    to    give    the    context    behind    the    regs,    provide meaningful   definitions   for   practical   use,   offer   probable   implications   for   industry,   and   set   out   why   the   seemingly   most reasonable solution for businesses may be the most dangerous to them. No   law   firm,   consultancy,   proprietary   software   solution,   or   cyber-insurance   policy   has   a   magic   solution   that   will ensure   compliance.   Businesses   are   encouraged   to   understand   the   playing   field,   proceed   conservatively,   employ consultants   or   use   external   resources   and   partners   as   part   of   their   due   diligence   to   understand   and   comply   with   the requirements,   articulate   an   operational   plan,   document   copiously,   communicate   generously   with   their   subcontractors, and remember to build and maintain bridges between IT functionality and general operations. Onions, and Ogres, have layers Like   the   famous   ogre,   Shrek,   the   7012   regulations   have   a   layered   history   and   an   unfriendly   disposition,   with   good intention   at   base.   Understanding   and   applying   them   requires   an   understanding   of   regulatory   context,   and   current market   forces   at   work.   We’ll   start   by   peeling   back   the   onion   layers   around   the   regulations   themselves.   In   the   second part   of   this   article,   we’ll   look   at   why   implementation,   compliance,   and   risk   transference   strategies   are   on   a   collision course with private cyber insurance, with the critical functionality providers (that’s you) wedged in the middle.

Read More 

7012    REGULATIONS    AND    CYBER    INSURANCE    ARE    ON    A COLLISION COURSE WITH SMALL BUSINESS   5/25/2015 By Larisa Breton, MPS President of FullCircle Communications, LLC
I   am   a   member   of   the   American   Bar   Association’s   Science   &   Technology   Section,   Electronic   Discovery   and   Digital Evidence   (EDDE)   Committee   and   recently   had   the   privilege   of   spending   a   couple   of   days   with   the   leading   experts   in the   country   on   electronically   stored   information,   legal   forensics   and   e-discovery.      The   two-day   meeting   was   packed with excellent and timely new information whose highlights I have summarized below:          1)   Federal   Rules   of   Civil   Procedure   (FRCP)   expected   to   be   approved   within   the   next   week   or   so.      Proposed   changes: (NOTE: these are still “proposed” and could change)                               a.   Rule   26(b)(1)–   the   issue   of   proportionality   now   at   the   top   of   the   list   of   considerations   that   a   court   should   use when deciding on the relevancy and importance of evidence to a case.                                                         i.    If    preservation    or    production    of    electronic    evidence    will    place    a    burden    on    one    of    the    parties disproportionate to either:                     1.  The issues of the case, or                     2. That party’s responsibility and capability to preserve or produce the evidence,                                           ii.   The   court   is   asked   to   make   decisions   on   whether   to   compel   production,   and   who   should   pay   for   the production, based on the weight of the burden.                            b.   New   language   to   clarify   that   this   decision   should   no   longer   be   based   entirely   on   the   financial   burden   but should   consider   all   issues   that   are   affected   by   the   request   and   might   impact   the   parties   involved   (e.g.   reputation,   time & personnel resources, etc.)                            c.   Rule   37(e)   clarified      that   some   of   the   more   onerous   sanctions   for   spoliation   should   only   be   considered   if   there can   be   shown   that   the   party   acted   with   the   intent   to   deprive   another   party   of   the   information's   use   in   litigation.      It   also states no sanctions, unless it can be shown that the spoliation of loss of evidence has created prejudice.                            d.   Rule   34(b)(2)(B)   -   Objecting   to   producing   electronic   evidence   due   to   an   assertion   of   burden   will   require showing   real   reasons   with   actual   evidence   of   the   burden.   You   will   need   to   state   specifically   why   you’re   objecting   to and what you are withholding as a result of your objection.

Read More

COMING SOON TO A COURTROOM NEAR YOU   5/12/2015 By David Matthews CISSP CISM DRFS CSFA IR & Forensics Practice Lead
The   public   sector   is   an   interesting,   important   and   really   tough   market   to   work   with.   You   can   verify   this   by   asking   your vendors   how   they   feel   about   working   in   "SLED":   State,   Local   and   Educational.   They'll   talk   about   thin   and   biennial budgets, government procurement rules and political and labor overlays. And    yet,    we    picked    this    market    preferentially.    Why?    Because    we    have    kids.    Because    clean    water,    emergency management,   and   communication   systems   for   public   safety   are   far   more   important   than   credit   cards.   Yes,   the   public sector   holds   personally   identifiable   information,   health   records   and   cardholder   data   and   those   are   important   as security   drivers   (no   one   wants   to   be   "above   the   fold"),   but   the   real   exposures   are   the   ones   that   can   result   in   loss   of   life if disrupted. So   our   challenge   is   to   come   up   with   security   services   that   are   focused   on   the   right   things,   provide   demonstrable value,   and   help   with   moving   the   conversation   forward   about   securing   the   critical   assets   that   are   managed   by   the public sector - while addressing the difficulties in projecting the need for security to electeds and executives. So   here   are   three   packages   that   do   just   that.   These   are   meant   to   assist   with   establishing   a   security   baseline   and budget   priorities,   identifying   low-hanging   fruit   for   quick   wins,   and   addressing   compliance   requirements   that   apply   to HIPAA,   CJIS,   and   PCI.   And   while   pricing   depends   on   scope,   these   are   normally   below   the   threshold   for   competitive procurement.

Read More

Three Security Packages for the Public Sector   4/17/2015 By Michael Hamilton CISSP CEO
Veterans Helping State Fight CyberSecurity War Mike   Hamilton,   featured   in   a   KING-5   TV   news   story   in   his   role   as   Policy   Advisor   to   the   Washington   State   Office   of   the Chief   Information   Officer.   In   his   job   as   Policy   Advisor,   Mike   collaborates   with   organizations   around   the   state,   including the   military,   public   utility   and   water/sewer   districts,   University   of   Washington   and   local   governments.   The   objective   of this   work   is   employment   as   cyber-analysts   for   our   veterans,   and   availability   of   these   resources   for   business   and government in our state. Watch the story on KING-5's Website by clicking here .
HELPING VETERANS: MIKE HAMILTON FEATURED IN SEATTLE TV STORY   3/14/2015 By Michael Hamilton CISSP CEO
You’ve   just   returned   to   your   law   firm   from   a   long   holiday   weekend   and   are   looking   through   your   email.   You   find   a   note from   your   financial   institution   regarding   a   large   transfer   of   money   from   one   of   your   trust   accounts.   The   figure   is   in   the high-end of six figures and you nearly spill your coffee running over to your bookkeeper’s office. He   knows   nothing   about   it.   It’s   time   to   push   the   panic   button.   Eventually   you   figure   out   that   your   bookkeeper   received an   email   with   a   poisoned   attachment   and   his   account   was   compromised.   Over   the   weekend   criminals   used   his credentials to steal a lot of your money, and you are very unlikely to ever see it again. You have just been the latest victim of a growing cybersecurity crisis that is beginning to target law firms. This is not fiction or FUD (fear, uncertainty and doubt) – this is a story straight from recent news. Anyone   who   reads   the   newspaper   or   listens   to   the   news   cannot   help   but   be   aware   of   the   number   of   organizations   that are   being   victimized   every   day   by   our   cyber   adversaries.   The   year   2014   has   been   dubbed   the   “year   of   the   data breach.”

Read More

MIND   THE   BACK   DOOR:   PROTECTING   CLIENT   INFORMATION FROM CYBERSECURITY THREATS AND DISCLOSURE   9/24/2015 By Suzanne Skinner and David Matthews M.K. Hamilton & Associates, LLC
I   talk   a   lot   about   security   in   the   procurement   and   contracting   processes.   I   think   using   capitalism   as   a   means   of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts.    The   abstraction   of   that   idea   is   that   suppliers   are   a   risk,   and   exercising   control   over   those   suppliers   --   using   the   power of   the   purse   in   the   preceding   example   --   is   one   key   to   moving   the   cybersecurity   needle.   This   post   addresses   the application of that idea in the local energy sector (our PUDs and dams, mainly).    If   you   follow   the   Daily   New   Blast   (sign   up   on   the   right   side   of   this   page),   it's   become   obvious   through   a   proliferation   of stories   that   small   product   and   service   providers,   which   have   some   degree   of   trusted   electronic   access   to   their customers, are the entry point for infiltration of the true targets. Click here for a good summary of the issue.

Read More

Small Companies, Russia and Energy   12/16/2014 By Michael Hamilton CISSP CEO
This   is   a   response   to   a   question   I   was   asked   by   a   State   CIO   (not   our   state),   regarding   legislation   that   addresses   security in procurement. Now sharing with you. I   have   been   very   interested   in   strategies   to   turn   security   into   a   "market   force"   through   the   creation   of   competitive differentiators,   and   using   the   purchasing   power   of   the   government.   I   feel   this   is   a   non-regulatory   way   to   address   the problem   -   leverage   the   fact   that   we're   capitalists.   This   was   a   message   delivered   to,   and   very   well-received   by   the Deputy Secretary of DHS in a recent meeting. I'm   not   aware   of   legislation   that   has   created   an   actual   requirement   for   demonstrable   security   in   a   product   or   service   - with the exception of the Fedramp program for cloud products. See below. First, the opinion. Effective   legislation   would,   in   my   opinion,   create   an   expectation   that   it   is   the   responsibility   of   the   state   to   purchase products   and   services   that   are   differentiated   by   their   attention   to   security.   This   would   have   to   be   based   on   standards   - but   don't   create   the   standards.   Make   the   products   attest   that   they   adhere   to   existing   industry   standards   (for   example OWASP   for   web   application   security),   and   ideally   that   they   have   been   validated   by   a   third   party   as   meeting   the standard.   Don't   make   it   a   mandate   that   they   hire   a   third   party   to   test   the   product,   just   score   them   higher   on   the   RFP response   if   they   have!   Change   is   thus   forced   in   a   non-regulatory   way,   just   by   using   the   power   of   the   purse.   Companies start to advertise the fact that their products are demonstrably secure, and capitalism starts to do its thing.

Read More

We Can Turn Security into a Market Force   10/25/2014 By Michael Hamilton CISSP CEO
CLICK FOR LARGER IMAGE
CLICK HERE FOR DETAILS
DOWNLOAD THE FULL ARTICLE BELOW Threat Intelligence Blog CRITICAL INFORMATICS INC.
When   the   team   at   Critical   Informatics   started   redesigning   our   managed   service   product   from   the   ground   up   for version   2.0,   we   had   to   ask   ourselves   a   lot   of   questions   about   how   to   build   on   our   success   with   a   popular   model, eliminating   weaknesses,   improving   features   we   liked   and   extending   it   in   ways   that   continue   to   show   value   in   a   market where it seems like everyone is claiming “advanced analytics” as their not-so-secret sauce. Often,   in   early   planning   for   products   –   the   earliest   decisions   are   philosophical   in   nature,   rather   than   technical.   This   is reflected   in   my   first   post    on   version   2.0,   where   I   explain   that   in   many   ways,   it’s   all   about   getting   to   the   question   –   and the   answers   follow.   In   this   post,   I   want   to   talk   about   another   philosophy   that   we   adopted   in   2.0   which   drives   our   sales and marketing team crazy, and we are still convinced was absolutely the right direction. Critical   Insight   has   a   lot   of   features   that   are   rare   or   non-existent   in   competitive   products   like   access   to   packet   capture for   perfect   replay   of   network   events,   zero   false   positive   reporting   and   human   analysts   in   the   loop   for   all   reported events.    What   we   don’t   (yet)   have,   is   a   beautiful   customer   portal   that   allows   our   customers   to   login   and   view   beautiful pie   charts   and   bar   graphs   which   represent   security   related   activities   on   their   network.   We   deliver   a   monthly   report (with   beautiful   graphs)   that   shows   these   things,   but   even   that   report   wasn’t   a   priority   for   us,   because   we   are   focused on something else; helping our customers with security events.

Read More

Pretty is the Enemy of Great   1/20/2016 By Mike Simon CISSP CTO
(206) 687-9100
As   many   of   you   know,   I've   been   involved   in   a   project   in   Washington   that   is   unique   in   the   nation.   The   pilot   PRISEM project   is   now   being   incorporated   as   PISCES:   the   Public   Infrastructure   Security   Collaboration   and   Exchange   System. Basically,   it's   a   public   option   for   monitoring   local   government,   public   utilities,   and   other   down-market   quasi-public organizations. I'm   convinced   that   because   of   the   critical   infrastructure   and   services   provided   by   this   poorly-protected   sector,   the potential   impact   of   disruption,   and   the   lack   of   affordable   solutions   for   monitoring   and   response,   there   is   a   need   that has   to   be   filled.   I   can   say   with   some   authority   that   private   sector   managed   security   providers   don't   prefer   this   market (underfunded,   biennial   budgets,   government   procurement   rules,   long   sales   cycle,   etc.),   yet   the   criticality   remains   and risk grows with time. In    my    view,    this    is    something    that    should    be    provided    as    a    service    -    not    necessarily    by    government,    but    by    a consortium    of    government    (because    infrastructure    protection),    academia    (because    research    and    work    force development),   and   other   stakeholders.   There's   more   to   this   than   I   can   write   up   in   this   blog,   but   suffice   it   to   say   that there   is   a   goodly   amount   of   enthusiasm   in   a   number   of   states   for   replicating   this   model,   and   there   will   soon   be   a   white paper released that says as much.

Read More

Grab the Third Rail and Hang On!   2/04/2016 By Michael Hamilton CISSP CEO
If   you’re   an   executive   in   any   organization,   you   should   be   feeling   the   pressure   to   prevent   breaches   of   your   customer and   employee   personal   data.   And   for   good   reason:   As   we’ve   seen   over   and   over   again   in   the   past   five   years,   a   digital trust   failure   can   cost   millions   of   dollars   (Home   Depot),   result   in   bankruptcy   (Code   Spaces),   or   even   expose   you   to personal liability for the breach (Caremark). Beyond   data   breaches,   if   you’re   unlucky,   an   online   criminal   gang   will   encrypt   all   your   data   (Hollywood   Presbyterian Medical Center) unless you pay them a ransom. If   you’re   very   unlucky,   you’ll   get   caught   in   the   cross-fire   of   a   cyberwar:   Online   reprisals   by   nation-states   that   can completely destroy your computers (Saudi Aramco) or publicly expose all your secrets (Sony). Welcome to the New Normal Because   cybersecurity   has   become   so   disruptive   to   our   sense   of   what   to   expect   in   our   modern   world   and   being   on the   Internet,   most   executives   don’t   know   how   to   deal   with   this   “new   normal”.   This   often   leads   to   the   kind   of   false thinking   that   causes   them   to   see   it   as   a   mere   technology   problem,   trivialize   the   risks,   or   even   deny   having   any responsibility for it at all. Of course, none of that is helpful. The unfortunate truth for everyone using the Internet is this: Cyberspace   is   more   dangerous   than   ever   and   it   will   get   even   more   so   in   the   coming   years,   and   none   of   the   institutions   we’ve relied on for generations to keep us safe (congress, law enforcement, military) can help us very much in the foreseeable future. Don’t   believe   me?   In   2015,   the   FBI   began   publicly   advising   that   if   you   fall   victim   to   ransomware,   your   best   bet   is   to   pay up. Did you ever think the FBI would say something like that?

Read More

GUEST BLOG Lean Into Your Cyber Risks To Thrive In The New Normal   4/20/2016 By Kip Boyle, President Cyber Risk Opportunities
GUEST BLOG!
Cyberwar Can Also Be A Civil War   6/16/2016 By Michael Hamilton CISSP CEO
The   term,   "cyberwar"   is   being   bandied   about   more   and   more.   While   some   appears   to   be   just   more   hyperbole,   FUD   and click-bait,   there's   something   going   on;   capabilities   are   catching   up   with   intent   -   and   not   just   by   nation-states.   The commoditization   of   attack   tools   has   made   it   possible   for   anyone   with   a   grudge   to   conduct   denial   of   service,   locate and track targeted individuals, and suppress the free flow of information. Yes,   the   Russians   penetrated   a   dam,   a   water   utility   in   Illinois   was   compromised,   and   the   energy   sector   is   known   to have   other   countries   extant   within   computing   systems   since   2011.   That's   bad   enough,   but   now   activists   are   using   GPS to   track   women   entering   Planned   Parenthood,   60%   of   domestic   violence   victims   have   spyware   on   their   phones   and are   being   tracked   by   their   abusers,   and   anti-government   fanatics   are   waking   up   to   the   fact   that   they   can   buy   their   way into capabilities that were once reserved for technical experts. This    does    not    bode    well    for    the    operators    of    critical    infrastructure    at    the    local    scale    -    traffic    management, communication   systems   for   law   enforcement   and   public   safety,   water   and   waste   treatment,   dam   operations   -   the   list goes   on.   While   ransomware   is   an   annoyance,   it's   not   personal.   Intentional   disruption   is,   and   I   believe   that   as   we   are watching    for    signs    of    North    Korea    and    ISIS    activity,    we    need    to    be    vigilant    on    the    domestic    front    as    well.    Our infrastructure, our freedom of speech, and the fidelity of our election systems are all being threatened.

Read More

Regulatory Scope Creep – We’re All Third Parties Now   11/11/2016 By Michael Hamilton CISSP CEO
The   information   technology   world   has   changed   very   quickly   in   just   the   last   few   years.   Not   just   the   adoption   of   the cloud   as   a   preferred   data   center   and   the   changing   knowledge   requirements   of   IT   practitioners   -   information   security has    taken    on    a    whole    new    meaning.    And    because    technology    leads    policy    by    a    goodly    amount,    we're    finding ourselves   having   to   catch   up   quickly.   When   your   surveillance   cameras   are   weaponized   to   take   down   parts   of   the Internet, something’s gotta be done. Options to pull ourselves out: 1 . Legislative   leadership   to   impose   regulatory   requirements,   define   illegal   activities   and   create   a   greater   role   for local law enforcement (this will be the subject of a later blog.) 2 . Industry self-regulation, through the creation of standards and adoption of market forces. 3 . The   public-private   hybrid:   use   of   the   government   purse   to   enhance   the   uptake   of   demonstrably   secure   products (ala   FedRamp).   That's   already   happening   a   bit,   as   is   the   creation   of   the   equivalent   of   a   "UL"   listing   for   products that meet standards (which hopefully include plans for ongoing patching, upgrades and maintenance.)

Read More

Pulling on the Thread of Propaganda   12/22/2016 By Michael Hamilton CISSP CEO
We're   awash   in   misinformation,   disinformation,   and   propaganda.   Calling   it   'fake   news'   trivializes   the   issue,   and   it's   not helpful.    It's    propaganda.    It's    a    concerted    attempt    by    a    variety    of    actors    to    influence    outcomes,    by    speaking    to demographic   groups   that   have   a   predisposition   to   believe   certain   things   -   when   you   tell   someone   something   that verifies   their   existing   world   view,   they're   willing   to   believe   it   without   further   examination   and   the   introduction   of   facts that indicate otherwise are summarily rejected. A   study   has   been   performed   on   this:   A   group   of   Dartmouth   researchers   have   studied   the   problem   of   the   so-called "backfire   effect,"   which   is   defined   as   the   effect   in   which   "corrections   actually   increase   misconceptions   among   the group in question." http://bigthink.com/think-tank/the-backfire-effect-why-facts-dont-win-arguments This   is   the   social   science   that's   being   weaponized,   to   sow   distrust   of   the   US   government,   and   divide   the   population along these lines of world view. Social media, according to the Pew Research Center, is where >60% of people get their "news". http://www.journalism.org/2016/05/26/news-use-across-social-media-platforms-2016/ Given   that   it's   possible   to   insert   propaganda   into   the   feed,   which   will   be   forwarded,   shared,   liked   and   repeated   within echo   chambers,   this   is   clearly   a   mechanism   for   fomenting   that   division   and   distrust.   But   can   anything   be   done   about it? YouTube, in particular, is filled with “news” channels that promote patently crazy, conspiratorial stories.

Read More

Separating the Church of Personal Use from the State of Authorized Activity   1/18/2016 By Michael Hamilton CISSP CEO
Government   manages   by   landmine,   as   do   many   private   sector   businesses   -   I   don't   think   anyone   would   disagree. Government   cannot   be   convinced   to   act   proactively    in   the   face   of   a   perceived   threat   -   the   impact   must   be   actually felt     before    legislative    or    board    action    is    taken.    Predictions    of    lost    business,    brand    damage,    fines,    or    increased regulatory   oversight   fail   to   move   the   needle   -   although   recent   class   action   suits   and   accusations   of   executive   gross negligence seem to have some pucker power. Policy,   or   the   set   of   rules   under   which   we   are   either   mandated   to,   or   agree   to   operate   can   be   a   powerful   security   tool   - especially   with   a   technical   enforcement   mechanism,   and   we're   coming   up   on   the   time   when   policies   are   needing   a hard look for what they can achieve. Way   back   when   I   was   CISO   of   a   US   City   known   for   its   tech   business,   we   collected   metrics   used   to   demonstrate   that 40%   of   the   compromised   assets   in   the   organization   were   due   to   the   use   of   personal   e-mail.   40%!   After   spending   all   the money   to   ensure   that   Outlook   was   free   of   bad   attachments,   links,   and   spam   -   users   could   have   a   web   browser   open to   their   ISP   email   account,   happily   going   through   all   the   clickbait   they've   attracted   through   online   activities.   So   how effective   was   it   to   spend   all   that   money?   Further,   it's   reported   that   91%   of   "hacks"   start   with   phishing    to   obtain credentials for easy entry, and social media exposures  make the creation of compelling bait that much easier.

Read More

Previous   blog   posts   have   talked   about   the   expansion   of   regulatory   purview    of   existing   authorities,   and   how   that   is affecting   businesses   of   all   sizes   -   whether   or   not   they   are   specifically   regulated.   Others   have   talked   about   the   value   of market-based security , and how procurement and contracting can be leveraged. Regulatory   authorities   aside,   businesses   are   applying   the   same   scrutiny   independently.   I’m   sure   everyone   has,   at   one time   or   another,   seen   the   questionnaire   regarding   information   protection   controls   that   precedes   a   network   trust relationship.   For   example,   a   company   that   provides   outsourced   benefits   management   is   going   to   house   customer employee   data,   to   include   SSNs,   insurance   information,   and   health   data.   That’s   a   big   target,   and   before   proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this. I   think   this   is   a   good   trend,   as   it   makes   security   more   aligned   with   market   forces,   providing   a   capitalism-based approach   -   you   can   make   more   money   if   you’re   secure.   It’s   also   becoming   a   necessity   as   we   move   into   more networked   means   of   managing   power   consumption,   traffic   management,   asset   tracking,   and   all   the   other   “smart” energy  / city  / hospital   / etc. technologies coming into the market. The   manufacturers   of   these   technologies   certainly   bear   the   responsibility   of   ensuring   that   their   products   are   secure (and   a   security   certification   system   may   be   forthcoming),   but   I   think   we   can   all   agree   that’s   good   for   a   point   in   time only.   Things   deteriorate.   Additionally,   an   integrator   will   likely   be   required   to   get   the   technology   installed   and   working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually.

Read More

“Smart” Security for the Internet of Things, in Three Parts   2/23/2017 By Michael Hamilton CISSP CEO
© Critical Informatics Inc. 2016 All Rights Reserved

News

Critical Informatics IT Security

Daily News Blast

Sign   up   for   a   truly   essential   Daily   Briefing   on   all the      Industry,      National      and      International Cybersecurity   and   Information   Security   events you need to know and be able to act on today!

Search the Blast Archive

Search by Date, Range, or Keyword September 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013

Threat

Intelligence Blog

The   Been   There,   Bled   There    Blog   that   covers, well,   just   about   anything   that   we   feel   you   can gain   critical   insight   from.      We   wear   our   battle scars    with    pride    and    are    grizzled    enough    to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
(206) 687-9100