August 25, 2012 By Dan Lohrmann
One of the hot topics at the MS-ISAC Annual Meeting and GFIRST in Atlanta this week was the recent Wired article by Mat Honan entitled: How Apple and Amazon Security Flaws Led to My Epic Hacking.
The entire article is worth reading, and may shock you into action. Here is the first paragraph of the article:
“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook”
That article, along with other information led to Apple and other organizations changing their over-the-phone password reset procedures.
There is no doubt that the majority of online users typically:
- Use very simple passwords that are easy to guess
- Use the same passwords for multiple applications and services (such as Gmail and Facebook.)
- Only change their passwords when forced to do so
- Use the same passwords for home and work
- Share passwords with friends and family members
I could go on, but the stupid things that we do (or don’t do) with passwords are well-documented.
However, I must admit that the Wired article was a bit of a personal wake-up call for me. While I have always used rather complex passwords, I do slip into some of the other bad habits at times. But lately, I have gone through the simple list above and made adjustments to my personal online security situation regarding passwords. I want to point-out a few practical steps that we all can take to help secure things.
Second, I found this sixty minute security make-over article to be well-done and helpful. It discusses linked social media accounts and a host of other areas that need to be addressed by all of us for better security.
Third, even if you don’t follow these extra security steps, at least regularly change your passwords to something a bit more complex and don’t reuse them across home and work. Also, back up important data.
I know, I know. Security pros have known about these basic password steps for years. But actions speak louder than words. And there is too much at stake with our online data to do nothing. I like many of these new precautions, since one-time actions can provide much better overall protections.
What are your thoughts on personal passwords? Any ideas to share?
August 22, 2012 By Dan Lohrmann
According to the event website, GFIRST is described like this:
“The Government Forum of Incident Response and Security Teams (GFIRST) is a group of technical and tactical practitioners from incident response and security response teams responsible for securing government information technology systems and providing private sector support. GFIRST members work together to understand and handle computer security incidents and to encourage proactive and preventative security practices across government agencies. GFIRST promotes cooperation among the full range of Federal, State and local agencies, including defense, civilian, intelligence, and law enforcement.”
As in previous years, the GFIRST conference in being held during the same week as the MS-ISAC Annual Meeting and national InfraGard meetings. This allows a diverse group of experts from around the country to attend multiple events during one trip and add maximum value to travel.
The opening plenary session speakers were Art Coviello, Executive Chairman at RSA, Allan Paller, Director of Research at the SANS Institute, and Tony Sager, former head of NSA’s IA program, and now with SANS.
I won’t go through point by point what was said morning, but here were some themes, first from Art Coviello:
- We need more risk-based, intelligence-based cybersecurity.
- Contextual information sharing is key.
- There is a big perception versus reality gap regarding breaches.
- Impediments to progress include:
- The organizational maturity levels for cybersecurity move from control to compliance to measuring IT risk to measuring business risk
- Art Coviello called for the President to act now with an executive order, Congress to pass the Rogers - Ruppersberger bill, a bi-partisan commission that could discuss what’s really happening behind closed doors.
Allan Paller discussed the shifts that are taking place in cybersecurity around the world within the past 60 days. A new focus is on fixing known problems and especially the top twenty security controls.
He suggested that the new security heroes were teams and not Lone Rangers. He said management wants to know the answer to three questions:
1) What will it take to adequately secure our systems?
2) How much security is enough?
3) Whom can I trust to give me the right answers?
Paller suggested that “offense informs defense” – meaning that those who actually see and understand how we are being attacked can better defend in the future. He also said that we have the tools and the dollars, but we primarily need leadership.
There has been a 400% increase in significant cyber attacks in the past 90 days. DHS sees a new attack every 90 seconds.
Tony Sager described his prestigious career at NSA and offered some thoughts on our "information management" problems moving forward. He said we must focus on a small number of critical activities that will make the biggest difference. He also discussed the 80/20 rule and the benefits of using the Pareto Principle in cyberdefense, operations and project planning.
Are you at GFRIST? Any thoughts to share?
August 20, 2012 By Dan Lohrmann
I’m at the Multi-State Information Sharing & Analysis Center (MS-ISAC) Annual Meeting in Atlanta, where the state and local government Chief Security Officers (CSOs), Chief Information Security Officers (CISOs) and many of their top team members have gathered for three days. The MS-ISAC is now a division of the Center for Internet Security (CIS), and this group plays a vital role in cybersecurity information sharing and situational awareness between the Department of Homeland Security (DHS) and state and local governments.
These meetings provide a venue for collaboration and comparing notes amongst the cyber leaders in federal, state and local government. For the last few years, the meetings have been held in conjunction with the GFIRST conference, which is sponsored by DHS.
This year, the MS-ISAC Annual Meeting is the largest ever and includes representatives from 45 state governments and 40 local governments.
While the major focus of the three days is engagement on specific cyber issues and workgroup topics, the agenda for the annual meeting includes presentations from cyber leaders like Will Pelgrin (President and CEO of CIS) , Howard Schmidt (former cybersecurity coordinator for President Obama), Mark Weatherford (Deputy Under Secretary, Cybersecurity National Programs and Protection Directorate, DHS), Steve Chabinski, (Deputy Assistant Director, Cyber, Federal Bureau of Investigation) and Kelvin Coleman (Director, State, Local and Tribal Engagement, National Cyber Security Division, DHS).
We will also have updates on specific new MS-ISAC projects, like the CISO mentoring program started earlier this year. Many of the mentors had a chance to meet with the men and women that they are mentoring last night for the first time before the welcome reception, and these types of informal get-togethers are very helpful, in my opinion.
So what is everyone talking about?
The morning sessions were excellent, with Howard Schmidt providing insights from his years in the public and private sectors. He discussed the first Cyberstorm exercise, and he said he was proud with how far we’ve come – while admitting we have a long ways to go. Howard charged the delegates to:
1) Lead their governments’ efforts in buying the right security products and services
2) Uncover vulnerabilities and ensure that we take away the known holes.
3) Build the future teams and vision for cybersecurity collaboration and information sharing.
Howard also discussed the struggle regarding the roles of government and making secure product configurations mandatory verses voluntary.
Other morning updates included some impressive numbers by Will Pelgrin regarding the roles and responsibilities of the MS-ISAC, a great keynote by Steve Chabinski from the FBI, and several updates from DHS on upcoming events and awareness training.
This afternoon will offer breakout sessions on several topics and well as workgroup action sessions.
We kickoff tomorrow with some joint MS-ISAC / GFIRST meetings.
August 18, 2012 By Dan Lohrmann
Back in late June, I wrote about connectivity options while traveling during my vacation in Ocean City, Maryland. The blog was entitled: Vacation WiFi: What Networks Can We Trust? Now, thanks to some emails from an online friend who wishes to remain anonymous, I can offer “Part 2” of this story.
To summarize my vacation wireless options, I wrote:
“As I powered up my iPad from our fifth floor condo on 136th Street, more than a half dozen wireless networks popped up. I asked myself: Can I use (or trust) any of these? Are they free? Is it worth the risk, if they are?
The names were intriguing to me, ranging from Netgear58-5G to Oceanside136 to OceanNet Public Internet ST to Wireless Beach Access.”
I guess I should have also contemplated whether the WiFi networks were even legal. Last week, I received this message in an email:
“Mr. Lohrmann – Saw your article about Vacation WiFi and noticed you mention Oceannet. You may want to read the following article:
It is a good example of why people should be wary of WiFi services, especially ones that ask for a credit card or PayPal account requiring payment.“
The article was written three years ago. Here’s a brief excerpt:
“Unfortunately, it appears that OceanNet kept its service cheap by getting unauthorized access to Comcast's residential service, and the cable giant is not amused—it's suing to recover the ill-gotten gains of the WiFi provider.”
A later email went further: “I thought you might find it interesting given you mentioned them in your article. I don’t know how much you dug into it, the lawsuit by Comcast was settled for $50,000 fine plus agreement to never use/abuse Comcast cablemodem services again.”
I confirmed that this emailed information is true. While the individual running the service in 2009 was cleared of criminal charges, a consent agreement was reached in 2011 in which $50K damages was paid to Comcast for reselling their service.
Which brings me back to my vacation in June, 2012. I had an experience with a WiFi service that now goes by the same WiFi name. Is this cuurent service legal or not? I don’t know, but it certainly raises several additional reminders, comments and/or questions for all of us. Here are a few thoughts to ponder:
1) Reselling your typical residential WiFi service for profit is a violation of the terms of service with your Internet Service Provider (ISP) and is also illegal without a license. Even if no dollars change hands, it is not smart to leave your wireless network wide-open without password protection. It will slow down your network and open you up to others risks to your data.
3) Connecting your devices to unsecured WiFi has risks as well – even if it is “free.”
4) WiFi reputation is important. Many of us ask: Can I trust this network?
Going back to my experience in Ocean City, some people may wonder why I should care whether the new OceanNet service was legal or not. Isn’t that a matter for the owner of the service and ISPs? Perhaps the service had legal troubles before but is now “relaunched” legally under the same name. How can your average user figure this stuff out?
This is a complicated question to answer, but typical users on the move often can’t know for sure. You can “google it” to check on WiFi reputation. You can ask a trusted local source (such as the condo owners or local businesses). You can rely on the “big names” like McDonalds, your hotel chain or major ISP provider. But most of us don’t check court records for unknown access points.
5) We need to care if the service is legal. I ask you: Are you comfortable providing a credit or debit card to access an illegal service? If the service is illegal, I wonder what else is going on behind the scenes. Am I being spied on? Are my credentials or credit card numbers being stolen? Can I trust this provider?
While this blog may leave you with as many new questions as answers, there are many great articles on how to safely use hot spots, in addition to my original blog. The best advice that I can give is to research your specific options (at your location).
I tried to write a “behind the scenes” piece on this topic, but the simple decisions that I made on vacation could have turned out to be much more complicated – if I had used that WiFi network. As it turns out, I never used that WiFi service for the very reasons being discussed.
Nevertheless, this true story points out that we all need to have a personal plan if we intend to use wireless networks that we know very little about. As my online friend pointed out, it is best to be wary of unknown WiFi options. There are plenty of safe options for frequent travelers, but oftentimes, users try to save $$s and not use their minutes and/or want to try something new.
What’s your plan? Or, do you have a WiFi story to share?
August 12, 2012 By Dan Lohrmann
This brings up an interesting question: How do you spell cyber… anything? While this may seem like a trivial topic, I do think it matters.
At first glance, spelling cyber just seems all over the map. For example, many people still use two words for Cyber Security. Some still use a dash: Cyber-Security. But more and more articles and books are moving to just one word with a small “s” in the middle – Cybersecurity.
The single word has become the norm in Washington D.C. in government circles – including the White House, Washington Post and other news outlets. Even foreign conventions are starting to combine cyber words.
Another option is to drop “security” altogether and just use the word cyber instead of cybersecurity in some cases. This trend may allow for even more merging of words. For example, “Cyber Security Threat” becomes “Cyber Threat” and eventually we have “Cyberthreat.”
Many people have been using the word cyberspace for years. The term can have multiple meanings, but is often used interchangeably with the Internet or the World Wide Web. And yet, other cyber words are evolving within the English (or American-English) language.
If you type in “cyberattack” in Google, you will be asked if you meant to add a space (two words). But interestingly enough, the search results are very different with the space in between. The single word “cyberattack” yields 1.2 million page views, but the two words “cyber attack” yield about 10.5 million page views. More importantly, the top results are very different on these two searches. These different results can come from different spellings of cyber within headlines, books and articles.
Yes - Spelling Does Matter
So why should we care? Are we witnessing a new “cybermania?” Perhaps.
The “cyber” word is showing up everywhere. We now have cyberbullies, cybercars and more. Just adding “cyber” out front is hot - almost the new “e” from a decade ago. We used to hear a lot more about “e-government” and “e-everything.” Over time, that terminology became less popular. As we now talk about mobile government. Nevertheless, e-government is still widely used today.
Moving forward, as more areas of society use the Internet, mobile apps and technology, there will be a security component to all these new topics that some call the consumerization of technology. The word “cyber” out front could become the new normal for an ever-growing list of security solutions within technology topics – or just another way of implying "computer-oriented." I suspect we will be seeing more cyberpets, cyberpower and even cybersports in virtual worlds. This may make the security-focused link confusing.
I also believe there is a growing specialization in the various fields of cybersecurity. The new words are a reflection of entirely new industries in specialized security categories – almost like the medical areas where doctors specialize in specific topics. For example, cyberdefense or cyberwar can be considered sub-areas within cybersecurity. That’s right – our new cyber language is telling us about future job opportunities for our teenagers - so take note when you hear new cyber words.
Beyond technology trends and the evolution of the American (and English) vocabulary, spelling matters for reasons like school spelling bees and computer spell checkers which put little red lines under cyber-words. Our spelling also shows how we talk about various topics and how these new terms are interrelated.
As a practical matter, I recommend trying multiple spellings when researching various “cyber-security” topics. I find very different results by separating-out the word cyber or combing the word cyber with other words or adding a dash.
And yes, this topic does come up in the daily life of a chief security officer. When we were building our Michigan Cyber Initiative document last year, we debated on how to spell “cybersecurity.” Should we spell out the two words: “Cyber” and “Security” in the title? Or, should we combine them into one word: Cybersecurity? Or, what?
In the end, the word “Cyber” won out and stood alone to best capture our meaning, since combining cyber words seems to be the new normal.
What we later found interesting was that our document didn’t come up (as a first page choice) within a Google search when looking for “State Cybersecurity Initiatives.” We did some Search Engine Optimization (SEO) work and got that fixed.
So, how do you spell cyber?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.