Wednesday, December 17, 2014

Sony Breach: Will Visualizing Sony Implosion Lead to Improved IT Governance

So I've been watching breaches for many years and the latest Sony breach is awe inspiring in terms of the scale of the breach and maliciousness in intent; the breach seems to transcend the typical profiteering objectives and feels more like economic espionage. The scale and intent of this breach seems to have intersected with a company which lacks both value in security management as well as IT governance. They clearly have not learned from past mistakes and now they seem to now be faced with the biggest security spectacle in a decade.

Only time will tell, but at this point this breach may have lasting impact in the minds of executive management worldwide. IT governance could rank higher, much higher, in the minds of corporate leadership. From a governance standpoint the impact of many breaches is reduced mainly to quantifiable dollars, perhaps the cumulative cost of the breach and impact to stock price with a little brand damage thrown in. Even 100 million dollars of breach cost is not nearly catastrophic for a business unit that can generate multiples of that in profit in a single quarter.  However, whatever the future holds for Sony, it's not inconceivable to see a scenario where the entire Sony Pictures Entertainment crumbles and significantly impacts the greater Sony conglomerate. It's not so much that that will happen as much as that scenario seems plausible. Corporate boards will be able to visualize that in their own organizations. With that potential impact I feel that we could be ushering in a new era of IT governance.

A couple of thoughts come to mind for corporate boards and IT stewardship in terms of their ability to provide effective IT oversight.

1. Every board should be able to answer the following questions as part of a competency test for their ability to manage security risk and IT governance:
  • What are the risks associated with having the security department report directly into the IT organization? and, 
  • Who is reporting to the board about security risk and IT controls and what might their bias be?
Hint 1: One key unstated objective of a corporate CIO or IT director is to keep their job, put food on the table and otherwise keep a paycheck; a good way to achieve that is to demonstrate what a great job they are doing, which in fact can be said about most jobs. 
Hint 2: A key objective of a security assessment of an outside auditor is to identify weaknesses in the IT environment.
Hint 3: Hint 2 is in direct conflict with Hint 1.
2. Does the board have a technical member that can help facilitate meaningful discussion around security and technology infrastructure.

Clearly the Sony breach demonstrates a new avenue and motivation for security breaches. From a governance perspective, the risk should be perceived as much more open-ended. Perhaps the day of classifying data disclosure purely in terms of monetary impact that can be insured against or hedged with huge profits is over. Corporate risk management will begin so imagine breach impacts so significant that it could change the course of an entire company.

Tuesday, December 16, 2014

iOS Anti-Phishing Functionality: Marginal

Anti-Phishing Features in iOS are of Limited Value

The anti-phishing functionality in iOS is functional, but there is a significant lag in updating the phishing site database, According to Apple, when turned on the functionality should alert you if you click on a link to a known phishing site.

Enabling this feature on my iPhone (5s running iOS version 8.1.2) seemed to work, but only if I go back to phishing sites that were reported the previous day. I used sites reported by for the test. 

The following sites were tested. These included sites identified within the last 24 with the most recent reports first.  (Note these are documented phishing sites. Visit at your own risk.). The first few sites were not detected as phishing sites when clicked on in my iPhone Safari browser. Only the last two. However, on desktop chrome browser, all of the following links presented a warning.

When successfully identified as phishing sites with my iPhone (sites 4 & 5, above) the following message was displayed.


Be wary. According to the Anti-Phishing Working Group  (APWG) "Apple became the world’s most-phished brand" this year. Phishing sites tend to be somewhat temporary anyway, with an average uptime of less than 33 hours according to APWG in its report from June of 2014. As such Apple's delay in updating its phishing database makes it of very limited value given that phisher's are adept at acting fast using new phishing sites for active campaigns.

How to configure anti-phishing

You'll still need to be aware of websites you visit (difficult on a mobile browser) and be wary of submitting your credentials, but it still makes sense to ensure that you have the anti-phishing settings turned on. Here's how:

Go to Settings-->Safari and turn on "Fraudulent Website Warning".

Tuesday, December 9, 2014

Sony Breach - How A Hack Will Add Transparency To Your IT Practices (AKA I've Seen This Movie Before)

Having spent 15 years in security and building a security assessment company, which helps companies identify and mitigate security risk, I've been at ground-zero for many data breaches. I've seen the fallout. I've watched as companies that couldn't even a fund realistic budget to help address security risk, make outsized expenditures after a security incident. I've seen companies that couldn't even get an internal risk management meeting together with key stakeholders, involve many lawyers, executive management, IT and compliance personal and even the board of directors, after an incident.

As it turns out IT gets a lot of attention after a breach.

So while there may not be much visibility into the inner-workings of your IT function before a breach, you can bet there will be after. Corporate IT is becoming very, and it's difficult to gauge the overall robustness of many IT environments at a glance. In effect, IT is not inherently transparent. However, what you will find is that after a breach, there is significant scrutiny to IT practices. Few people really know what's happening in your IT environment before a breach, but everyone will be looking at your IT practices after.

And this increased visibility creates two phases of impact. The first phase is the data disclosure impact such as the compromised credit card numbers, account numbers, passwords, social security numbers, confidential data, etc., and the associated liability. The second phase is the impact associated with how your IT environment is viewed once it comes under scrutiny.

The poster child of this was CardSystems Solutions a credit card processor. They had 40 million credit cards compromised from their systems. However, it wasn't the incident itself, but their security practices exposed after the breach that led their downfall. When it was discovered that they had been storing unencrypted card numbers on their network their biggest customers, Visa and American Express, dropped them, and they eventually shuttered.

And more recently you can see the dissection of Sony's security practices, such as:

Interviews with former employees:
“Sony’s ‘information security’ team is a complete joke,” one former employee said. “We’d report security violations to them and our repeated reports were ignored.” on Time's website.
Similar tweets:

And a Mashable post with the headline:
"Sony Pictures' security chief once thought data breaches weren't a big deal"

Of course you might be able to say this about any organization or perhaps you could argue that these quotes have been taken out of context. There is certainly plenty of monday-morning-quarterbacking happening here, but these comments, along with some of apparent lax security controls reinforce the idea that Sony's culture didn't foster robust security processes. 

And I've experienced this attitude first hand. I once drove 90 miles to meet a potential client to deliver a proposal for a web application security assessment when I was building Redspin. When I got to the meeting, the CIO not only failed to show for our confirmed meeting but had no excuse, apology, or any reasoning whatsoever; not even a comment or message.  You can imagine my surprise when, a month or so later, I got a call from that same CIO. The company had been hacked, in fact, the very web application we would have evaluated got compromised in a very public way. So while I couldn't get the attention of the CIO for a meeting in his own conference room a month before, at this point the CIO was calling from the board room, with a room full of attorney's, top management and board members. It was real fire drill; lots of people were looking at IT. 

So I counsel executives to do this exercise: 

  • Pretend you just got hacked. Now, imagine how your security practices and decisions will be viewed.
Ask yourself these questions:

If we have a breach, and if my IT process is exposed, will it look like:

  • our organization value's security?
  • I care about generally accepted best-practices?
  • we respect the security process?
  • I value our employees input? 
What we do know is that your environment won't look perfect. No environment will look anywhere near perfect. IT is too complex and too dynamic. But will it look like you are even trying? Will it look like you care and even respect the process? Will it look like you care about your employee and customer data?