Things Matt Wrote

cybersecurity

Regular readers of this blog or those who subscribe to the Threats Without Borders newsletter, have read my concerns about security training. This article from ZDNet highlighting the failure of such efforts struck a chord with me, but not because I agree with the position of the article. Well, not entirely. I agree that security training is not the be-all, end-all, and new learning techniques are needed.

The article proposes that security training is failing because it’s not being delivered in a way that creates a security mindset. The author believes the effort needs to be all-encompassing and daily.

"I think one of the most important things to realize is most of the education and training done, it's not very effective," "The 30-minute video you're obligated to watch once a year doesn't do the job".

Yes, I’ll agree with this, but maybe it’s not all on the security professionals.

I like to use the analogy of telling a child not to touch a hot stove. You can tell a child over and over to not touch the stove coil while it's glowing red hot, and even show them the scars you have from doing it, but until they do it and get burned they don't have any context. And because they don’t have any context, because they haven’t felt the pain, they’re going to touch the hot stove.

Consider phishing. How many phishing victims have received some form of training? A LOT. Yet they still clicked the link. In many of the cases I have investigated, the person responsible for clicking the link or sending the money order says to me, “ I knew it looked suspicious” and “ I know better, I saw the same thing in training”,

Almost all promise me “ I won't make that mistake again”. And they won't. Much like a child never touches a hot stove top twice, they must get burned for the message to have an impact.

#cyficrime #cybersecurity #infosec #risk

As defined by Wikipedia, the Curse of Knowledge is a cognitive bias that occurs when an individual, who is communicating with others, wrongly assumes they have the background to understand the communication. Just because you have mastered a subject doesn't mean everyone you communicate with has also. I often assume that my audience has the prerequisite knowledge to understand the information I am presenting. I am often wrong, which leads to frustration on both ends. This doesn't mean they are low intelligence, or unable to learn, it just means we have different backgrounds, experiences, and professions. An orthopedic doctor trying to explain bone density to me is going to get the same response as me trying to explain Network Address Translation to her.

I recently participated in a ransomware tabletop exercise at a local business. Initially, I was disappointed in the simplistic scenario presented by the consultant running the exercise. Uhh, so basic, I can't believe they are getting paid for this, I thought. But as the exercise played out, I observed that even such a basic scenario led to very productive conversation. In fact, the participants couldn’t have handled much more. Many of the stakeholders were not in the business of security, or Internet technology, and needed to be brought up to speed.

The curse of knowledge got me again. I allowed my mastery of the topic influence my opinion of the exercise and assumed the other participants had an equal or better understanding of ransomware and the incident response process. I had been through the scenario so many times, in both exercises and reality, that I had the answers. I wrongly assumed the others would also.

Read more...

This week President Biden claimed to be “committed to the cybersecurity of the country” and promised to hold those that threaten our nation's security accountable. He also announced that his administration was hosting a meeting with 30 countries from the NATO and G7 alliance to discuss the problem of cybercrime and come up with a plan to combat it. The statement asserted the group would bring the “full strength” of their capabilities to disrupt the malicious cyber actors.

Israeli defense minister Naftali Bennett describes Iran as an Octopus that spreads its influence across the middle-east through its long tentacles. Mr. Bennett is the original proponent of the “Octopus Doctrine” declaring the only way to successfully beat an octopus is to target its head. “When the tentacles of the octopus strike you, do not fight only against tentacles, but strike the head also”. Life comes from the head, not the tentacles.

Previously the Biden administration outlined a new strategy for combating ransomware and cybercrime as detailed in this Wall Street Journal article. The administration plans to target the financial infrastructure of ransomware gangs hoping to remove the financial incentive of cyber-criminality.

Targeting the financial systems is just striking at one of the tentacles. You may cut it off but seven more exist and as you battle those the injured one will grow back.

Read more...

I work for an accredited law enforcement agency. Dually accredited actually, holding sheepskins from both the Commission on Accreditation for Law Enforcement Agencies (CALEA) and the Pennsylviania Law Enforcement Accreditation Commission (PLEAC). We're one of the few agencies in the state that hold both the national and state accreditation titles. This an accomplishment to be proud of for sure, but it's expensive, burdensome, and at the end of the day may or may not make us better at policing.

The policy demands pushed down by various oversight organizations have been fast and furious in the aftermath of the death of George Floyd and the resulting focus on police. Particularly in the application of the use of force. Agencies that were accredited already met most of the policy demands called for by reformers but the need to look responsive is irresistible. Policies are tweaked, the language changed, “enacted dates” are updated to be current, and press releases touting agency reforms are issued. Some of these changes are badly needed, some are just policing reform theatre.

I'm a supporter of accreditation and believe that it's something every law enforcement agency should strive for. It's good for the leadership, it's good for the taxpayers, and at the end of the day, it's good for the individual officers. If the members of the agencies follow the policies as written they will be less likely to be questioned, disciplined, and end up named in a laws suit. And that is good for everyone. But it's not that easy. The policies are so vast, so broad, and some so complex, that compliance is difficult to achieve. Even for the best-intentioned officer. Many policy violations aren't because of deliberate intent, it is because the officer is making a split-minute decision while under extreme stress. The angle of his knee, on an actively resisting suspect's back, is the last thing on his mind. On the other hand, some are deliberately disregarded because they are complex, overly broad, and nearly impossible to comply with all of the time. Some officers believe, why even try?

Accreditation and compliance is also big business in the world of information security. And with ultimately the same result. Compliance is not security. If you believe that your organization is secure because it is deemed compliant you are going to be terribly disappointed. And look like a fool. Compliance models are a set of best practices that will lead the agency to a more productive and secure environment but you can't just enact the framework, declare yourself secure, and walk away.

Read more...

Over the past year, “Dwell Time” has become part of the American lexicon. The term, when used in the scope of infectious disease, is the measurement of time a disinfectant needs to remain wet on a surface to properly disinfect. The quicker a disinfectant solution kills pathogens and sanitizes a surface the better it works. The Covid-19 pandemic has made most of us experts in disinfectants.

The concept of dwell time is also important in the field of information and computer network security. Dwell time is the length of time a threat actor is active, while undetected, within a network. It is the measurement of time from breach to detection. Obviously, the longer the adversary lives in the environment the more time they have to steal data and damage systems. The ultimate goal of every security team is to reduce adversary dwell time to the least amount of time possible. A dwell time of ZERO is the ideal.

Security software and threat prevention company Sophos released a report titled “The Active Adversary Playbook 2021”. The report is well written and has garnered some attention within cybersecurity media and practitioners. One of the more prominent and celebrated points made by the report is a median adversary dwell time of eleven (11) days. I immediately winced when I read this claim. I'm not an expert by any means, but that number seemed way off. Particularly since Fireeye estimated the average dwell time to be 56 days in their 2020 M-Trends report. Did the security industry get that much better in just a year?

Read more...

My wife dropping her iPhone in the pool this week taught us two things. First, she learned how cold 64-degree water is as she had to get in to retrieve the phone. Second, regardless of what Apple claims, iPhones are not waterproof. To be fair, I suspect it was the salt more than the water that shorted out the device. Regardless, dropping your phone in a 64-degree saltwater swimming pool is going to result in negative consequences for both you and the device.

This event also reinforced another concept that needs to be stressed when discussing crisis and security incident planning. Data stored on digital media, and in the cloud, is worthless if you can't access it. The loss of the phone created significant complications for my wife since she couldn't complete the two-factor authentication process required to access many of her work systems and data. We save data to cloud storage systems for safety, security, and redundancy, but it's all for naught if you can't access any of it.

This brings up a bigger issue when considering Disaster Recovery and Business Continuity plans for your business. They are worthless if you don't have a copy when a disaster strikes.

Read more...

Email security company Mimecast released their annual “State of Email Security” report for 2021. The report is based on a survey of 1,225 information technology and security professionals from businesses around the globe. The survey participants were from businesses that spanned the industrial sectors including technology and telecommunications, financial services, manufacturing, and health care.

The report is well done and easy to digest. It is not easy to accept though. It's not that the data appears illegitimate or deceitful, but is a stark reminder of the uphill battle security practitioners face in trying to protect their organizations.

Some of the statistics are expected such as six out of ten organizations sustained a ransomware attack in the past twelve months. Threats delivered by email rose by 64% in 2020. 70% of respondents expect that their business will be harmed by an email-bourne attack in 2021 and of those 26% claim that such an event is inevitable. Of course, it makes you wonder about the 30% that don't believe they will not be afflicted by a damaging email attack this year. There is a fine line between confidence and lunacy.

Read more...

The 2020 Internet Crime Report was recently released by the FBI's Internet Crime Complaint Center. The one stat that stood out was the significant increase in extortion reports. The center received 43,101 reports of extortion in 2019. That number jumped to 76,441 in 2021, accounting for a 78% increase.

That increase in crime is certainly more palatable than the 110% increase in phishing complaints the center received, but a 78% increase is still significant. And extortion?

My immediate thought was IC3 is now considering Denial of Service for Ransom attacks as extortion which would be correct. These cyber-shakedowns are nothing less than criminal extortion. Think of the 1920's gangster walking to the local butcher shop, “Nice shop you have here, would be a shame if you had a fire” but apply it to a website ala “Nice website you have here, sure would be a shame if it was taken offline”. I have previously written about RDOS (Ransom DOS) attacks.

Read more...

Several years ago, I was a guest on a local radio show where I spoke about Internet-enabled fraud. The final question asked by the show host was, “what are 'three quick things' that someone can do to protect themselves from cybercrime?”. It was such a simple question but it really caught me off guard. How could I hesitate on this? I just spoke about fraud schemes for the past 30 minutes. I was able to quickly name three things so I didn't look like a complete fool but as I looked back, the three tips that I gave weren't the best. It wasn't that I didn't know the answer, in fact, the complete opposite, I knew too much. The struggle was taking a huge volume of information and distilling it down into three bullet points. The quick and immediate “musts” of your topic.

Since that time, whenever I go speak publicly, I always prepare my “three quick things” answer for the given topic. These prepared responses also come in handy during a regular conversation. It's nice to immediately have a coherent response when friends, family, and colleagues ask for your opinion on a topic where you are recognized as being more knowledgeable than others.

Most small businesses, say less than 100 employees, do not have any dedicated employee for IT services, let alone security. Most time it is a collective effort to keep the Internet on and the printers connected. The lucky ones can afford contract services but for most, security is a wing and a prayer.

“What are some things I can do to keep my business secure?” is the most frequent question I get asked by these small business owners.

Three Quick Things:

Read more...

Domain registrar and web hosting company GoDaddy recently raised eyebrows and the collective ire of Reddit over an email phishing test they conducted on their employees. The company sent an email to employees promising a cash bonus, in the spirit of Christmas, and to ease the economic burdens they face due to the Covid-19 pandemic. The email included a link to a registration form that collected employee information under the guise of confirming employee status and “ensuring everyone gets the bonus”. Employees who completed of the form didn’t receive a cash bonus but a notice of required security refresher training.

News of the test sent the technology reporter pool into a tissy and brought the collective ire of self-righteous Internet forum warriors. Some of the criticism was pointed and legitimate. Poor topic? Yes. Poor timing? Yes. Entrapment? Maybe. GoDaddy should have recognized the sensitive content and poor timing of its delivery. The betrayal felt by employees is understandable.

Ok, but you still clicked the link. You could have compromised the entire network and therefore the integrity of the company! GoDaddy played dirty pool but so do the bad guys. Do you think a Russian crime group dedicated to compromising the computer network of your company ever has moments of self-reflection where they say “Wow, this is just going too far. We need to let this pass”. Do you think they have an open-door policy or a corporate ethics officer? Hell no they don’t. They are criminals. Betraying your emotions and stealing your candy is their job and they will stop and absolutely nothing to ensure success.

Those involved in the debate fall into two camps….security and non-security.

Read more...