The Been There, Bled ThereBlog that covers, well, just about anything that we feel you can gain critical insight from. We wear our battle scars with pride and are grizzled enough to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”
Back in the early 1990s, Mike Hamilton, an acquaintance made through a shared obsession with USC Trojan Football, asked me if I wanted an email account. This is before the Internet as we know it today, a world of 300 baud (300 bits per second, the standard connection speed today is 3.3 million times faster!), acoustically-coupled (essentially a cradle for the handset part of the old rotary dial phone), dial-up modems that we used to connect to Bulletin Board Systems (BBSs). That was how the world at the time of about 100,000 or so of us went online.Over two decades later, that single question led to where I am today, to where all the work that Mike, our colleagues, customers, and associates have collectively taken us. This October, M. K. Hamilton & Associates, LLC is becoming Critical Informatics Inc. This is where we were meant to be, the result, the end-point, the objective, after taking that first step seemingly a lifetime ago now. In 1994, our career in Information Security was two computer geeks with science day jobs pulling all-nighters trying to conjure security products out of our imagination. Some things that were true then are unheard of today - Firewalls were C code you tweaked yourself and compiled on FreeBSD systems. Linux was still virtually unknown outside of academic circles and folks who watched the Linus Torvalds / Andrew Tanenbaum debate on Usenet. Ironically, much like now, security automation then was cobbled together with AWK and SED and Turbo C Shell (Tcsh) or Bash scripts -- funny how other things never change no matter how long ago we adopted them!
KEEP ON TRUCKIN': WHAT A LONG, STRANGE TRIP IT'S BEEN9/24/2015By Fred Langston CISSP CCSKEVP, Professional Services
Critical Insight. It’s what we provide, and the name of our next generation product, just released July 31. The name, the product, the new capabilities and a new perspective on how to achieve all of it seemed worthy of explanation ... and maybe a fun puzzle.As scientists and practitioners working in an infant science like information security, we find that we spend a lot of time looking at more mature science for models and techniques that we can use to “see further, by standing on the shoulders of giants” to both paraphrase and mangle Sir Isaac Newton. We find ourselves reading textbooks and taking classes in statistics, numerical analysis, natural language processing and epidemiology, among other things.When presented with the problem of modeling an approach to the very real problem of applying a mix of signature, anomaly, behavioral and reputation methods to the vast amounts of data available from modern networks and systems – our team kept finding themselves making great progress, then retracing their steps to accommodate new information, new threats or just plain new thinking.Clearly, a state of continuous re-design is not a sustainable as a service supporting regional critical infrastructure in the face of constantly evolving threat and stream of successful attacks. We needed to find a giant’s shoulder, and we found one in logic puzzles.
Knights and Knaves, and CRITICAL INSIGHT 8/01/2015By Mike Simon CISSP CTO
"Know your enemy and know yourself, and you will win a hundred battles." - Sun Tzu from Art of WarThe man and his work are legend, and for good reason. Inspired by the sage, I've explored this concept and applied his theories at some of today's largest companies. And if you've heard me or read anything I've written in the last few years, you'll recognize the following interrogatory statement which is the above stratagem in modern cyber-security parlance: Do you know how, with what resources, and where you will direct your incident response team when an active attack has been detected against your organization? Short shrift is being paid to the basic task of understanding one's own attack mitigation and response capabilities. We all finally agree that it's a matter of when and not if we are going to experience a breach. So, even if we know our threat horizon well, no security technology, architecture, practice or policy, at least today and within my lifetime, will ever be fully resistant to cyber-attacks. Knowing this, isn't it paramount to fully understand exactly what your organization should be doing when under active attack?What I believe is commonly missing from IR planning is a way to provide tactical guidance once an attack is underway on who should be responding, what activities should be prioritized, what tools should be used, and most importantly, what specific defensive capabilities are going to be most effective against the specific type of attack being experienced. Fighting a cyber-attack without knowing your own response capabilities is comparable to sending a field general out to command an army without telling the commander what weapons his troops have and how well they can use those weapons, nor any knowledge of the enemies' weapons the troops will face in battle. The corollary to this is the fact that many activities carried out in a standard, well-constructed IR plan may have little or no effect on stopping the attack and all the associated damage because we cannot provide specific, appropriate responses a priori for a future attack.
How Will You Respond when You're Under a Cyber Atack? 9/24/2015By Fred Langston CISSP CCSKEVP, Professional Services
Image courtesy of personalexcellence.co
Part One: What are the “7012” regulations?Defense Acquisition Regulation Supplement 252.204-7012In November 2013, the US Department of Defense issued final rules to its defense acquisition regulations. Defense Acquisition Regulation Supplement (DFARS) section 252.204-7012 now requires contractors to safeguard information that is deemed Unclassified, but controlled (called UCTI), within their IT systems in a manner compliant with standards issued earlier in 2013 by the National Institute of Standards and Technology (NIST). The 7012 regulations also require immediate reporting of any incident or threat to UCTI that is carried on or held in an IT system. The NIST is the cognizant agency for Classified standards and operational regulations. The regulations themselves are a part of, and a driver to, a set of complex problems for industry — presently, with risk being transferred away from DoD to its contractors who will find risk rebounding to them via their “cyber” insurance policies. This two-part article isn’t intended to fan the flames, but rather to give the context behind the regs, provide meaningful definitions for practical use, offer probable implications for industry, and set out why the seemingly most reasonable solution for businesses may be the most dangerous to them. No law firm, consultancy, proprietary software solution, or cyber-insurance policy has a magic solution that will ensure compliance. Businesses are encouraged to understand the playing field, proceed conservatively, employ consultants or use external resources and partners as part of their due diligence to understand and comply with the requirements, articulate an operational plan, document copiously, communicate generously with their subcontractors, and remember to build and maintain bridges between IT functionality and general operations.Onions, and Ogres, have layersLike the famous ogre, Shrek, the 7012 regulations have a layered history and an unfriendly disposition, with good intention at base. Understanding and applying them requires an understanding of regulatory context, and current market forces at work. We’ll start by peeling back the onion layers around the regulations themselves. In the second part of this article, we’ll look at why implementation, compliance, and risk transference strategies are on a collision course with private cyber insurance, with the critical functionality providers (that’s you) wedged in the middle.
7012 REGULATIONS AND CYBER INSURANCE ARE ON A COLLISION COURSE WITH SMALL BUSINESS 5/25/2015By Larisa Breton, MPSPresident of FullCircle Communications, LLC
I am a member of the American Bar Association’s Science & Technology Section, Electronic Discovery and Digital Evidence (EDDE) Committee and recently had the privilege of spending a couple of days with the leading experts in the country on electronically stored information, legal forensics and e-discovery. The two-day meeting was packed with excellent and timely new information whose highlights I have summarized below:1) Federal Rules of Civil Procedure (FRCP) expected to be approved within the next week or so. Proposed changes: (NOTE: these are still “proposed” and could change)a. Rule 26(b)(1)– the issue of proportionality now at the top of the list of considerations that a court should use when deciding on the relevancy and importance of evidence to a case.i. If preservation or production of electronic evidence will place a burden on one of the parties disproportionate to either: 1. The issues of the case, or 2. That party’s responsibility and capability to preserve or produce the evidence, ii. The court is asked to make decisions on whether to compel production, and who should pay for the production, based on the weight of the burden.b. New language to clarify that this decision should no longer be based entirely on the financial burden but should consider all issues that are affected by the request and might impact the parties involved (e.g. reputation, time & personnel resources, etc.)c. Rule 37(e) clarified that some of the more onerous sanctions for spoliation should only be considered if there can be shown that the party acted with the intent to deprive another party of the information's use in litigation. It also states no sanctions, unless it can be shown that the spoliation of loss of evidence has created prejudice.d. Rule 34(b)(2)(B) - Objecting to producing electronic evidence due to an assertion of burden will require showing real reasons with actual evidence of the burden. You will need to state specifically why you’re objecting to and what you are withholding as a result of your objection.
COMING SOON TO A COURTROOM NEAR YOU 5/12/2015By David Matthews CISSP CISM DRFS CSFAIR & Forensics Practice Lead
The public sector is an interesting, important and really tough market to work with. You can verify this by asking your vendors how they feel about working in "SLED": State, Local and Educational. They'll talk about thin and biennial budgets, government procurement rules and political and labor overlays.And yet, we picked this market preferentially. Why? Because we have kids. Because clean water, emergency management, and communication systems for public safety are far more important than credit cards. Yes, the public sector holds personally identifiable information, health records and cardholder data and those are important as security drivers (no one wants to be "above the fold"), but the real exposures are the ones that can result in loss of life if disrupted.So our challenge is to come up with security services that are focused on the right things, provide demonstrable value, and help with moving the conversation forward about securing the critical assets that are managed by the public sector - while addressing the difficulties in projecting the need for security to electeds and executives.So here are three packages that do just that. These are meant to assist with establishing a security baseline and budget priorities, identifying low-hanging fruit for quick wins, and addressing compliance requirements that apply to HIPAA, CJIS, and PCI. And while pricing depends on scope, these are normally below the threshold for competitive procurement.
Three Security Packages for the Public Sector4/17/2015By Michael Hamilton CISSPCEO
Veterans Helping State Fight CyberSecurity WarMike Hamilton, featured in a KING-5 TV news story in his role as Policy Advisor to the Washington State Office of the Chief Information Officer. In his job as Policy Advisor, Mike collaborates with organizations around the state, including the military, public utility and water/sewer districts, University of Washington and local governments. The objective of this work is employment as cyber-analysts for our veterans, and availability of these resources for business and government in our state.Watch the story on KING-5's Website by clicking here.
HELPING VETERANS: MIKE HAMILTON FEATURED IN SEATTLE TV STORY 3/14/2015By Michael Hamilton CISSPCEO
You’ve just returned to your law firm from a long holiday weekend and are looking through your email. You find a note from your financial institution regarding a large transfer of money from one of your trust accounts. The figure is in the high-end of six figures and you nearly spill your coffee running over to your bookkeeper’s office.He knows nothing about it. It’s time to push the panic button. Eventually you figure out that your bookkeeper received an email with a poisoned attachment and his account was compromised. Over the weekend criminals used his credentials to steal a lot of your money, and you are very unlikely to ever see it again. You have just been the latest victim of a growing cybersecurity crisis that is beginning to target law firms. This is not fiction or FUD (fear, uncertainty and doubt) – this is a story straight from recent news.Anyone who reads the newspaper or listens to the news cannot help but be aware of the number of organizations that are being victimized every day by our cyber adversaries. The year 2014 has been dubbed the “year of the data breach.”
MIND THE BACK DOOR: PROTECTING CLIENT INFORMATION FROM CYBERSECURITY THREATS AND DISCLOSURE 9/24/2015By Suzanne Skinner and David MatthewsM.K. Hamilton & Associates, LLC
I talk a lot about security in the procurement and contracting processes. I think using capitalism as a means of achieving an outcome is a better model than regulation. Read previous posts to get up to speed on those thoughts.The abstraction of that idea is that suppliers are a risk, and exercising control over those suppliers -- using the power of the purse in the preceding example -- is one key to moving the cybersecurity needle. This post addresses the application of that idea in the local energy sector (our PUDs and dams, mainly).If you follow the Daily New Blast (sign up on the right side of this page), it's become obvious through a proliferation of stories that small product and service providers, which have some degree of trusted electronic access to their customers, are the entry point for infiltration of the true targets. Click here for a good summary of the issue.
Small Companies, Russia and Energy 12/16/2014By Michael Hamilton CISSP CEO
This is a response to a question I was asked by a State CIO (not our state), regarding legislation that addresses security in procurement. Now sharing with you.I have been very interested in strategies to turn security into a "market force" through the creation of competitive differentiators, and using the purchasing power of the government. I feel this is a non-regulatory way to address the problem - leverage the fact that we're capitalists. This was a message delivered to, and very well-received by the Deputy Secretary of DHS in a recent meeting.I'm not aware of legislation that has created an actual requirement for demonstrable security in a product or service - with the exception of the Fedramp program for cloud products. See below.First, the opinion.Effective legislation would, in my opinion, create an expectation that it is the responsibility of the state to purchase products and services that are differentiated by their attention to security. This would have to be based on standards - but don't create the standards. Make the products attest that they adhere to existing industry standards (for example OWASP for web application security), and ideally that they have been validated by a third party as meeting the standard. Don't make it a mandate that they hire a third party to test the product, just score them higher on the RFP response if they have! Change is thus forced in a non-regulatory way, just by using the power of the purse. Companies start to advertise the fact that their products are demonstrably secure, and capitalism starts to do its thing.
We Can Turn Security into a Market Force 10/25/2014By Michael Hamilton CISSP CEO
CLICK HERE FOR DETAILS
When the team at Critical Informatics started redesigning our managed service product from the ground up for version 2.0, we had to ask ourselves a lot of questions about how to build on our success with a popular model, eliminating weaknesses, improving features we liked and extending it in ways that continue to show value in a market where it seems like everyone is claiming “advanced analytics” as their not-so-secret sauce. Often, in early planning for products – the earliest decisions are philosophical in nature, rather than technical. This is reflected in my first poston version 2.0, where I explain that in many ways, it’s all about getting to the question – and the answers follow. In this post, I want to talk about another philosophy that we adopted in 2.0 which drives our sales and marketing team crazy, and we are still convinced was absolutely the right direction.Critical Insight has a lot of features that are rare or non-existent in competitive products like access to packet capture for perfect replay of network events, zero false positive reporting and human analysts in the loop for all reported events.What we don’t (yet) have, is a beautiful customer portal that allows our customers to login and view beautiful pie charts and bar graphs which represent security related activities on their network. We deliver a monthly report (with beautiful graphs) that shows these things, but even that report wasn’t a priority for us, because we are focused on something else; helping our customers with security events.
Pretty is the Enemy of Great 1/20/2016By Mike Simon CISSP CTO
As many of you know, I've been involved in a project in Washington that is unique in the nation. The pilot PRISEM project is now being incorporated as PISCES: the Public Infrastructure Security Collaboration and Exchange System. Basically, it's a public option for monitoring local government, public utilities, and other down-market quasi-public organizations.I'm convinced that because of the critical infrastructure and services provided by this poorly-protected sector, the potential impact of disruption, and the lack of affordable solutions for monitoring and response, there is a need that has to be filled. I can say with some authority that private sector managed security providers don't prefer this market (underfunded, biennial budgets, government procurement rules, long sales cycle, etc.), yet the criticality remains and risk grows with time.In my view, this is something that should be provided as a service - not necessarily by government, but by a consortium of government (because infrastructure protection), academia (because research and work force development), and other stakeholders. There's more to this than I can write up in this blog, but suffice it to say that there is a goodly amount of enthusiasm in a number of states for replicating this model, and there will soon be a white paper released that says as much.
Grab the Third Rail and Hang On! 2/04/2016By Michael Hamilton CISSP CEO
If you’re an executive in any organization, you should be feeling the pressure to prevent breaches of your customer and employee personal data. And for good reason: As we’ve seen over and over again in the past five years, a digital trust failure can cost millions of dollars (Home Depot), result in bankruptcy (Code Spaces), or even expose you to personal liability for the breach (Caremark).Beyond data breaches, if you’re unlucky, an online criminal gang will encrypt all your data (Hollywood Presbyterian Medical Center) unless you pay them a ransom.If you’re very unlucky, you’ll get caught in the cross-fire of a cyberwar: Online reprisals by nation-states that can completely destroy your computers (Saudi Aramco) or publicly expose all your secrets (Sony).Welcome to the New NormalBecause cybersecurity has become so disruptive to our sense of what to expect in our modern world and being on the Internet, most executives don’t know how to deal with this “new normal”. This often leads to the kind of false thinking that causes them to see it as a mere technology problem, trivialize the risks, or even deny having any responsibility for it at all. Of course, none of that is helpful. The unfortunate truth for everyone using the Internet is this: Cyberspace is more dangerous than ever and it will get even more so in the coming years, and none of the institutions we’ve relied on for generations to keep us safe (congress, law enforcement, military) can help us very much in the foreseeable future.Don’t believe me? In 2015, the FBI began publicly advising that if you fall victim to ransomware, your best bet is to pay up. Did you ever think the FBI would say something like that?
GUEST BLOGLean Into Your Cyber Risks To Thrive In The New Normal4/20/2016By Kip Boyle, President Cyber Risk Opportunities
Cyberwar Can Also Be A Civil War6/16/2016By Michael Hamilton CISSP CEO
The term, "cyberwar" is being bandied about more and more. While some appears to be just more hyperbole, FUD and click-bait, there's something going on; capabilities are catching up with intent - and not just by nation-states. The commoditization of attack tools has made it possible for anyone with a grudge to conduct denial of service, locate and track targeted individuals, and suppress the free flow of information.Yes, the Russians penetrated a dam, a water utility in Illinois was compromised, and the energy sector is known to have other countries extant within computing systems since 2011. That's bad enough, but now activists are using GPS to track women entering Planned Parenthood, 60% of domestic violence victims have spyware on their phones and are being tracked by their abusers, and anti-government fanatics are waking up to the fact that they can buy their way into capabilities that were once reserved for technical experts. This does not bode well for the operators of critical infrastructure at the local scale - traffic management, communication systems for law enforcement and public safety, water and waste treatment, dam operations - the list goes on. While ransomware is an annoyance, it's not personal. Intentional disruption is, and I believe that as we are watching for signs of North Korea and ISIS activity, we need to be vigilant on the domestic front as well. Our infrastructure, our freedom of speech, and the fidelity of our election systems are all being threatened.
Regulatory Scope Creep – We’re All Third Parties Now 11/11/2016By Michael Hamilton CISSP CEO
The information technology world has changed very quickly in just the last few years. Not just the adoption of the cloud as a preferred data center and the changing knowledge requirements of IT practitioners - information security has taken on a whole new meaning. And because technology leads policy by a goodly amount, we're finding ourselves having to catch up quickly. When your surveillance cameras are weaponized to take down parts of the Internet, something’s gotta be done.Options to pull ourselves out:1.Legislative leadership to impose regulatory requirements, define illegal activities and create a greater role for local law enforcement (this will be the subject of a later blog.)2.Industry self-regulation, through the creation of standards and adoption of market forces.3.The public-private hybrid: use of the government purse to enhance the uptake of demonstrably secure products (ala FedRamp). That's already happening a bit, as is the creation of the equivalent of a "UL" listing for products that meet standards (which hopefully include plans for ongoing patching, upgrades and maintenance.)
Pulling on the Thread of Propaganda 12/22/2016By Michael Hamilton CISSP CEO
We're awash in misinformation, disinformation, and propaganda. Calling it 'fake news' trivializes the issue, and it's not helpful. It's propaganda. It's a concerted attempt by a variety of actors to influence outcomes, by speaking to demographic groups that have a predisposition to believe certain things - when you tell someone something that verifies their existing world view, they're willing to believe it without further examination and the introduction of facts that indicate otherwise are summarily rejected. A study has been performed on this: A group of Dartmouth researchers have studied the problem of the so-called "backfire effect," which is defined as the effect in which "corrections actually increase misconceptions among the group in question."http://bigthink.com/think-tank/the-backfire-effect-why-facts-dont-win-argumentsThis is the social science that's being weaponized, to sow distrust of the US government, and divide the population along these lines of world view.Social media, according to the Pew Research Center, is where >60% of people get their "news". http://www.journalism.org/2016/05/26/news-use-across-social-media-platforms-2016/Given that it's possible to insert propaganda into the feed, which will be forwarded, shared, liked and repeated within echo chambers, this is clearly a mechanism for fomenting that division and distrust. But can anything be done about it? YouTube, in particular, is filled with “news” channels that promote patently crazy, conspiratorial stories.
Separating the Church of Personal Use from the State of Authorized Activity1/18/2016By Michael Hamilton CISSP CEO
Government manages by landmine, as do many private sector businesses - I don't think anyone would disagree. Government cannot be convinced to act proactivelyin the face of a perceived threat - the impact must be actually feltbefore legislative or board action is taken. Predictions of lost business, brand damage, fines, or increased regulatory oversight fail to move the needle - although recent class action suits and accusations of executive gross negligence seem to have some pucker power.Policy, or the set of rules under which we are either mandated to, or agree to operate can be a powerful security tool - especially with a technical enforcement mechanism, and we're coming up on the time when policies are needing a hard look for what they can achieve.Way back when I was CISO of a US City known for its tech business, we collected metrics used to demonstrate that 40% of the compromised assets in the organization were due to the use of personal e-mail. 40%! After spending all the money to ensure that Outlook was free of bad attachments, links, and spam - users could have a web browser open to their ISP email account, happily going through all the clickbait they've attracted through online activities. So how effective was it to spend all that money? Further, it's reported that 91% of "hacks" start with phishingto obtain credentials for easy entry, and social media exposures make the creation of compelling bait that much easier.
Previous blog posts have talked about the expansion of regulatory purviewof existing authorities, and how that is affecting businesses of all sizes - whether or not they are specifically regulated. Others have talked about the value of market-based security, and how procurement and contracting can be leveraged.Regulatory authorities aside, businesses are applying the same scrutiny independently. I’m sure everyone has, at one time or another, seen the questionnaire regarding information protection controls that precedes a network trust relationship. For example, a company that provides outsourced benefits management is going to house customer employee data, to include SSNs, insurance information, and health data. That’s a big target, and before proceeding you would want to make sure that they don’t have any wildly open doors or windows. So we’re all getting used to this.I think this is a good trend, as it makes security more aligned with market forces, providing a capitalism-based approach - you can make more money if you’re secure. It’s also becoming a necessity as we move into more networked means of managing power consumption, traffic management, asset tracking, and all the other “smart” energy / city / hospital/ etc. technologies coming into the market.The manufacturers of these technologies certainly bear the responsibility of ensuring that their products are secure (and a security certification system may be forthcoming), but I think we can all agree that’s good for a point in time only. Things deteriorate. Additionally, an integrator will likely be required to get the technology installed and working. Everyone in this food chain has a responsibility, and hardly ever are those responsibilities articulated contractually.
Sign up for a truly essential Daily Briefing on all the Industry, National and International Cybersecurity and Information Security events you need to know and be able to act on today!
Search the Blast Archive
Search by Date, Range, or KeywordSeptember 2015 August 2015 June 2015 May 2015 April 2015 March 2015 February 2015 December 2014 October 2014 September 2014 August 2014 July 2014 May 2014 April 2014 February 2014 December 2013 November 2013 August 2013 July 2013 June 2013
The Been There, Bled ThereBlog that covers, well, just about anything that we feel you can gain critical insight from. We wear our battle scars with pride and are grizzled enough to occasionally yell, “Get off of my Lawn!” As they say, “You Can’t Make This Stuff Up!”