March 31, 2013 By Dan Lohrmann
The book 1984 was written by George Orwell in the 1940s. Words and concepts such as; “Big Brother, doublethink, thoughtcrime, Newspeak and even Orwellian” come from this famous literary work.
More than sixty years later, philosophers still argue about what Orwell would say about the Internet, technology in 2013 or our future, if Orwell were alive today. Students continue to read and learn from Orwell and debate questions about security, privacy and monitoring on the Internet today.
Taking a step back and shifting the focus to tomorrow, what are today’s futurists predicting? And for security, what is coming down the road? I believe that this is more than just a fun daydreaming exercise. Indeed, we can learn some lessons to apply today by thinking more about tomorrow.
The Future According to Kurzweil
Futurist Ray Kurzweil says we’ve only just begun to innovate. He predicts a world with in-body computers to detect and fight disease and a world dominated by artificial intelligence.
After founding several companies, Kurzweil was recently hired as director of engineering for Google, so his ideas are not just far-fetched dreams. Here’s an excerpt from a late-January 2013 interview:
You have said that by the 2030s, people will have blood cell-sized computing devices in their bloodstreams and brains that connect directly to off-site computer data servers. What makes you think that?
We already have computerized devices that are placed inside the body and even connected into the brain, such as neural implants for Parkinson’s disease and cochlear implants for the deaf. These devices can already wirelessly download new software from the cloud. Technology is shrinking at an exponential rate, which I’ve measured at about 100 in 3D volume per decade. At that rate, we will be able to introduce blood cell-sized devices that are robotic and have computers that can communicate wirelessly by the 2030s.
How would such devices be regulated to ensure that outside forces can’t manipulate people’s thoughts and actions through the Internet?
Privacy and security are already very significant issues, considering the personal and intimate things that people do with their computers. This is an issue we will never be able to cross off our “concern list,” but we’re actually not doing that badly. Relatively few people today complain that they have been significantly damaged by privacy and security breaches. ...
Near-term Predictions: AOL’s ‘Digital Prophet’ David Shing
But Google’s engineers aren’t the only ones thinking about the future. AOL has their own futurist - Digital Prophet David Shing. In a recent presentation which focused more on the next decade than twenty or thirty years out, the ‘shock-haired Australian’ described ten predictions.
Here are a few of those:
The Future of Marketing?
And how will this change Internet Marketing over the next few years? I found this post on the future by “Dan (@Tropical MBA)” to be fairly compelling. While this topic of marketing trends may seem irrelevant to security and technology professionals, remember that we need to pay for our Internet content somehow. Business marketing of products is a major driver in technology innovation and service delivery.
This entire article is worth reading, but here are three of his seventeen trends:
The Future of Cybersecurity
So what does all this mean for the future of cybersecurity? A few months back, I articulated my views on what it will mean to be a security leader in 2020 for CSO magazine. One key message is that roles within security will only increase, as we depend more and more on technology moving forward. We are already witnessing the growth in the importance of embedded technology within critical infrastructures.
Another message: Security leaders should strive to be trusted advisors.
One perspective (which I believe is flawed) is that once we “figure out” identity management, current Internet holes and ID theft (possibly with biometrics), we will start to see a dramatic reduction in the role of cybersecurity. I disagree.
The list of future technology trends listed will mean that hacking and computer security concerns will evolve to include social media attention, imposters infiltrating trusted networks, the delivery of university education, devices implanted in the body, cars that drive themselves and much more.
For the foreseeable future, we will have what Kurzweil calls, “Personal and intimate things that people do with their computers.” Thus the need for continued security and privacy protections.
Or as Orwell once wrote, “We sleep safe in our beds because rough men stand ready in the night to visit violence on those who would do us harm.”
March 24, 2013 By Dan Lohrmann
There has been a lot of discussion over the past few months regarding an article entitled: Why you shouldn’t train employees for security awareness. This viral article from last summer is still very popular. It was written by Mr. Dave Aitel, who is the founder and CEO of Immunity. If you’re not familiar with this debate on the value of cyber awareness training, I recommend taking ten minutes to check out Mr. Aitel’s views and the corresponding comments.
After reading this article as well as many rebuttals, I believe a few common themes emerge:
1) The majority of cyber experts and technology leaders disagree with Mr. Aitel for a variety of reasons. The verdict seems to be that we need an “all of the above” approach when it comes to training as well as other activities, policies, tools and cybersecurity actions. The conventional wisdom says we need answers relating to people, process and technology – and awareness training helps the people and process part.
One of my favorite rebuttals was written by Boris Sverdlik at Infosec Island. For the most part, I agree with Mr. Sverdlik’s perspective on this topic.
2) Mr. Aitel is not alone in his views on awareness training. Bruce Schneier, a well-known security blogger and industry expert, wrote this piece on the topic. Similar articles were written last year. Read this response to dropping security awareness from Spiceworks, written last July.
3) There is no doubt that Mr. Aitel makes many good points that need to be taken seriously. Who can argue with any of the these seven actions (described in more detail in his article):
The Good, the Bad and the Ugly with this ‘Shock Marketing’ Approach
But rather than just echo other rebuttals, I’d like to address a broader set of implicit questions that this article raises. Specifically, what are the positive and negative ramifications to throwing end user awareness training (or for that matter, any other training, technology, policy or approach) under the bus? Why do we instinctively react negatively to Win/Lose articles and blogs like this?
Perhaps most important: Does this article make CISOs and other security leaders want to implement his seven actions or buy his product more? I think not.
I basically view this piece to be a form of “shock” marketing or advertising to get our attention. Why shock advertising? Because the words are carefully chosen to force a strong reaction. Notice that the headline is not: “How to follow an offensive security program,” or, “Seven essential security steps for organizations,” or even, “Why Immunity offers the best … whatever.” Those titles would not have received the same level of viral attention and would yield minimal page views. No, the approach seeks to grab our attention with something we inherently want to argue or defend or discuss.
Lest I be accused of not practicing what I preach, I want to present my response in a respectful manner to this particular author and training issue. Nevertheless, I think my concerns are relevant for other topics that use a similar marketing approach. We’ve all seen similar techniques used for various products and services.
I don’t know Mr. Aitel or his company, but he seems to be an articulate security executive with a positive reputation and a good set of credentials. I have nothing for or against him or his company. Rather, I think this is a good example of an author trying to get noticed in a very crowded social media market vying for our attention. What’s the result?
What are the good aspects of this article? First and foremost, shock marketing gets you noticed. There’s no doubt that I now know who Dave Aitel is. Before I read this article, I didn’t know anything about him or his company. I’m even writing a blog about his article, along with dozens of other bloggers.
A Google search on this headline, gets big results. Immunity has more people going to the company’s website. I’m sure Dave also has more LinkedIn requests for connections. These are all sales leads.
No doubt, many people have emailed him and unloaded all of the things that they think are wrong with their company’s awareness training program(s). He may even be attracting a few hackers with talent to join his company.
Second, this article also draws attention to his points regarding other cyber priorities. It shines a light on other important aspects of cybersecurity.
One bad aspect of shock marketing is that it can turn people off. Yes, you get your name out there to make a point, but are you changing people’s minds? Are you getting noticed for the wrong reasons?
More important, he might be associated with a negative image that is hard to undo. What stuck in my mind a few days after reading the article is that he thinks awareness training is a waste, and not his other seven points.
But the ugly part of this article is a perception it leaves regarding a potential lack of integrity. Now I must say up front that the author may indeed believe what he is saying about awareness training. I don’t know his true motives or beliefs. Perhaps he really thinks that end user awareness training activities are a total waste of time and money.
But if this is so, why does he end the article the way he does? Here’s an excerpt:
“By following an offensive security program, companies can keep their networks, and employees, protected.
Dave Aitel, CEO of Immunity Inc.... His firm specializes in offensive security and consults for large financial institutions….”
Notice that the answer given is to “Follow an offensive security program.” This is a classic “Win-Lose” example from Covey. Or in other terms, don’t spend your company or government dollars on awareness training, but buy my products and/or services instead.
On the other hand, a similar article by Bruce Schneier looks at the arguments for and against awareness training, without trying to sell me his products in the process.
Improve, don’t remove, security awareness
In conclusion, there are a long list of reasons that security awareness training makes sense, as described in other rebuttals. Businesses have audit findings to address, processes that need refining and pragmatic compliance reasons to train employees.
And yes, there is plenty of poor and meaningless awareness training out there. I agree that awareness training must be improved and results measured. Over the past year, I have advocated new approaches that offer more intriguing awareness training that is brief, relevant, timely, fun and changes behavior.
And yes, cost is a factor. I suspect that some organizations spend too much on awareness training. However, most state governments spend less than 1% of their security budgets on awareness training.
Most important, if you really want to change my mind and convince me to stop offering awareness training – let the arguments stand alone.
And if you want me to buy your product – try a different marking approach based on WIN-WIN principles. Please don’t trash awareness training in the process.
March 17, 2013 By Dan Lohrmann
The day after President Obama released the “Improving Critical Infrastructure Cybersecurity Executive Order,” the National Institute of Standards and Technology (NIST) issued this press release announcing the development of a new framework to reduce cyber risk.
What do they need right now? Your input by April 8.
Here’s an excerpt from the February 13, 2013, press release:
The National Institute of Standards and Technology (NIST) today announced the first step in the development of a Cybersecurity Framework, which will be a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that are vital to the nation’s economy, security and daily life.
… In accordance with the Executive Order, the Secretary of Commerce has directed the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, such as power plants and financial, transportation and communications systems. NIST will issue a Request for Information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders….
Stakeholder meetings are also a part of the framework process. The first meeting will be held April 3 at NIST headquarters in Gaithersburg, Md. For more information on this workshop or to register, go to this NIST website.
Many public and private sector organizations are talking about this new framework and the corresponding development process now, as demonstrated by this blog by Rodney Petersen from EDUCAUSE. Rodney points out that: “EDUCAUSE and Internet2 are working with the Higher Education Information Security Council to review the Questions in the RFI to develop a higher education response.”
In addition, I am aware of efforts by the National Association of Chief Information Officers (NASCIO) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) to gather input to this request by NIST. Whether these organizations compile a combined RFI response from states or just encourage state and local governments to respond individually is not clear at this time.
The Request for Information (RFI) can be seen here, and related comments should be e-mailed to email@example.com by April 8, 2013 with the subject line: "Developing a Framework to Improve Critical Infrastructure Cybersecurity."
I urge you and your organization or government to engage in this overall process. It is far too easy to complain about what is or what is not happening in Washington D.C. regarding cybersecurity. It is another matter entirely to be a part of the solution. This framework will provide an important piece to our roadmap over the next four-plus years, and we all need to get involved.
Related Congressional Developments on Cybersecurity
In a related development, DHS Secretary Janet Napolitano recently testified on the cybersecurity executive order. Here’s an excerpt from the Homeland Security Newswire article:
“Cybersecurity has become a hot topic recently, as information emerged about a series of cyber attacks by on U.S. Banks, Microsoft, the New York Times, the Wall Street Journal, Bloomberg, and many other companies. A detailed expert report confirmed that these attacks, and others, were the work of operatives working for china’s military intelligence services (see “Chinese government orchestrates cyberattacks on U.S.: experts,” HSNW, 19 February 2013).
The Hill reports that these attacks now have lawmakers concerned about a more destructive attacks on water systems, financial institutions, transportation, utilities, and other critical infrastructure….
Senate Commerce Committee chairman Jay Rockefeller (D-West Virginia) said in a statement that the threat of a cyber attack is higher than ever, especially since the Congress failed to pass any cybersecurity legislation last year. “We simply cannot afford to wait any longer to adequately protect ourselves.” Rockefeller said in his statement….”
Just yesterday, the news came out that the McCaul-Lipinski Cybersecurity Enhancement Act advances to House floor. This legislation passed the House in 2012 and 2010 with overwhelming bipartisan support. The bill:
• Improves coordination in government, providing for a strategic plan to assess the cybersecurity risk and guide the overall direction of federal cyber research and development.
• Updates the National Institutes of Standards and Technology (NIST) responsibilities to develop security standards to harden our federal networks and processes for agencies to follow.
• Establishes a federal-university-private-sector task force to coordinate research and development, improve training of cyber professionals.
• Continues much-needed cybersecurity research and development programs at the National Science Foundation and NIST.
Presidential Actions On Cyber This Week
Meanwhile, President Obama hosted an unprecedented meeting with CEOs this past week on cybersecurity threats facing our nation. The New York Times reported on the meeting that, “Mr. Obama wanted to hear directly from industry leaders about how vulnerable their companies were to computer attacks. The president also wanted to discuss efforts the government was taking to address threats.”
In an interview with ABC News, the President also answered questions on cyber threats. Here’s that exchange:
PRESIDENT BARACK OBAMA:
Well, I think– you al– always have to be careful war analogies. Because, you know, there’s a big difference between– them engaging in cyber espionage or cyber attacks and– obviously– a hot war. What– is absolutely true– is that we have seen– a steady ramping up of cyber security threats. Some are state sponsored. Some are just sponsored by criminals. The–
But some are state sponsored?
PRESIDENT BARACK OBAMA:
Absolutely. And– and billions of dollars are lost to the consequences. You know, industrial secrets are stolen. Our companies are put into competitive disadvantage. You know, there are disruptions to our systems– that, you know, involve everything from our financial systems to some of our infrastructure.
And this is why I’ve taken some very aggressive executive actions. But we need Congress to act. We’ve put before Congress what exactly we need that will protect people’s privacy and civil liberties, but will also make sure that our overall system, both public and private, are protected from these kinds of attacks.
In conclusion, there is definitely a new sense of urgency to these cybersecurity matters. The topic of cyberdefense has now been elevated to the highest executive levels in the public and private sectors, even entering the conversation alongside such topics as the national debt, the economy and North Korean concerns.
State and local governments need to have this same sense of urgency on policies related to cyber. Get involved.
What are your thoughts on recent developments?
March 3, 2013 By Dan Lohrmann
The largest cybersecurity conference in the world was held this past week - RSA in San Francisco. The 2013 show was as big and, in reality, overwhelming as ever. There are literally thousands of articles and press releases that come out each year about the companies, products, awards, people and the hottest global security topics related to the greatest IT security show on earth.
There are so many conference sessions, side-meetings, receptions, demonstrations, bake-offs, dinners (and lunches and breakfasts), separate conference running concurrently and more that it is hopeless to think that attendees can participate in even a small fraction of the available activities. The vendors know that most security leaders with influence are somewhere in San Francisco during the week, and they all want to have “face-to-face” time over a meal or coffee.
When I told one vendor friend that I was just too busy for another introduction with a new company, he tried the guilt-trip approach, “Dan. Everyone knows that you have at least three dinners at RSA.” (I politely told him that I’m an early to bed, early to rise, Midwestern guy who eats one dinner – especially after a few receptions with food and drink.)
Last year, I didn’t attend the RSA Conference, but heard about questions from many people around the globe. This blog covers that experience from last year and the emails received before, during and after the events. The sentiment was: Are you ok?
So this year, it is only fair to provide some feedback regarding what I heard and saw in San Francisco.
But before sharing a few of takeaways, I'd like to mention the the session entitled, “Cybersecurity and the States.” The session was summarized in this Forbes blog by Elise Ackerman. While we had over a hundred people attend our panel session, many more went across the hall to hear about the latest hacker tricks, tips and techniques.
Three Top Takeaways
One theme that kept coming up was dealing with “big data.” There were many twists on this, such as this one from Darlene Storm’s Computerworld blog. She wrote:
“The big topic was big data, including how it can bring big security problems…
Regarding big data vulnerabilities, Coviello warned, ‘Our attack surface and risk will be magnified in the coming years as a result. We have all have the ability to access large data stores because of cloud, but we're not the only ones that can access these data stores. Our adversaries will, as well.’"
One session that I attended was facilitated by Richard Stiennon called: I Was Blind, but Now I See: CISOs Discuss Visibility with Big Data Security. This was an excellent session in which four CISOs discussed how they are dealing with the huge amount of data that is being collected from all over their networks. The theme was that preventive-based technologies often bring a false sense of security. All of the CISOs addressed the need to go through Gigabytes of data – sifting through events and triggers to find real incidents and required actions.
The panel expressed positive reviews for the vendor Splunk’s products and ability to do event correlation. (Side note: Splunk offered my favorite T-shirt with the words “You can’t always blame Canada.”)
There was also a suggestion that in the future we will be incorporating even more data from the business side and physical security side of things. This will allow better detection of fraud and a more intelligent response to security events.
The second theme was a push towards a network of sensors that work together to report back to a central “brain” – almost like the human body central nervous system. To some extent, this is just an extension of the traditional “defense in depth” concept and correlating netflow data and logs from a variety of network devices. However, there is an even bigger push towards more network and system intelligence coming together to stop attacks.
So what vendors themes were at RSA? Every part of the business and technology organizations in enterprises play roles in protecting data and information. While this has always been true, there is a bigger push in this area, along with more integrated tools, this year. In fact, the stated theme of this year’s conference was “security is knowledge.” The Gutenberg printing press was offered as a model.
For a specific example, McAfee CTO Michael Fey encouraged getting more parts of the business and system administrators involved in helping enforce security policy. He said,
“Additionally, Fey said that firms should make sure that responsibilities and duties are spread out, rather than relying on one group or department to handle all security operations.
In doing so, Fey said that companies will not only be better equipped to respond to threats and utilise current security platforms, but also make use of emerging platforms which could offer far greater intelligence and response capabilities….”
A third lesson learned at RSA this year was perhaps the most obvious. Cybersecurity is really hot right now, with more companies, products and attention than ever before.
Perhaps the recent headlines regarding China, President Obama’s executive order on cybersecurity and Presidential Policy Directive (PPD-21) and other hacking news stories make this obvious. But nothing makes the point stronger than walking around the RSA show floor or the hotels surrounding the event.
For deeper dive on this topic, see this extensive set of interesting interviews with industry thought leaders at the IT-Harvest website. Richard Stiennon called this: “The most vibrant and productive RSA conference of the decade has come to a close. The astounding attendance numbers were probably fueled by Mandiant’s ground breaking report on cyber espionage activity and even, perhaps, by President Obama’s reference to cyber security in his State of the Union Address.
This long list of vendor interviews shows why. All I can say is: Wow!
So yes, if you’ve never been to the RSA Conference, start making plans to attend next year or at some point in your professional security career. There is nothing quite like it regarding security in cyberspace.
Were you there? Any thoughts to share?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.