Category: Cyber Security

The question all security buyers need to learn to ask, and vendors answer

In the last few months I have had the opportunity to talk to a wide range of people in our industry unencumbered by a business card that sets an agenda. I have spoken to vendors, investors, analysts and customers of all types and sizes. In doing so I have seen so many examples of vendors and investors who are almost blindly pivoting to the next bright shinny thing, egged on by analysts who have become swept up in the fervor of creating new cyber security market segments. The resulting turmoil is causing our customers to be left behind asking what they should do.

There is no doubt cyber security is hot. Over the last couple of years, I have had a string of VC and PE firms wanting my help to get them a slice of the pie.  Money has flooded in to fuel what is in effect a war effort happening on commercial terms. Like many modern wars industry is not supplying a centralized army or war office. Instead individual militias who are short on resources and often sound like cavalry officers in World War I. Finding themselves overly exposed as they watch tanks roll by, biplanes overhead and clouds of mustard gas around them. This is a war where the speed of innovation in weapons development is unprecedented and the results massively asymmetric. Every day there are adversaries out there doing the equivalent of an infantryman in the trenches of Flanders creating a tactical nuke complete with delivery system all without all the fuss of 25 years of science, the Manhattan Project or Werner von Braun and Redstone.  Weapons that if they were conventional would only be available to nation states can now be acquired by almost anyone. No wonder so many customers are left confused as to where to turn next in the search for something, anything that will make the world better.

Therein lays the problem. Desperation. When you are injured in battle and the trusted therapy or medication stops working you will look at alternatives even the ones that in other circumstances you would have written off as crazy. Focus also shifts to treating increasingly significant symptoms rather than the underlying condition and that is where I believe we are today. We have a war being fought with unprecedented scale and weapons sophistication creating casualties that are looking anywhere they can to patch their wounds and get them back into the fight. They have plenty to choose from and people prepared to offer almost anything. So how does a CEO, CIO or CISO make the right decisions at this point? Well I believe that there is one question they need to be asking when evaluating a new product or service, and ensuring it gets answered to their satisfaction.

What guarantee can you provide me that what you offer it is going to reduce the number of bad things that happen?

In other words, prove to me that what you offer is actually going to increase my security.

It is that simple. Demand proof and focus on things that stop incidents. That last piece is important. I am not advocating a defense only strategy, that stopped working a long time ago. If you believe you can build an impenetrable wall that will never get breached you are nuts! Just like on the battlefield you should be prepared to treat wounds that have pierced the body armor that protects vital organs or hard to protect ones like the head very differently to a flesh wound in a limb. Finding and getting that bullet or shrapnel that is sitting next to a major artery or organ quickly and efficiently under fire is a priority. Having armor that either stopped it in the first place, made it less lethal or helped you pinpoint the exact location is better.

So, who are the vendors who can answer this question? I am not going to name names but I can tell you what I see them working on.

  • Identity – Enabling you to know someone or something is who or what they say they are.
  • Information – Making it only accessible to those who have a real right to see it.
  • Automation – Less focused on the mundane and more on helping the battlefield troops.
  • Disruption – Of attacks and attackers.
  • Expertise – Providing you with access to mercenaries or helping you develop your militia.

In each of the above I have come across vendors who can put real data behind their claims that I can map directly to better outcomes for their customers. The form of the guarantee may vary. Some offer results based payments, a few are working on insurance backed guarantees, others are just able to show and explain with hard customer data how they have stopped bad things happening by for example identifying bad actors before they act or enabling organization wide encryption.

If more people learn how to ask this question and not be swayed by arguments to address symptoms or generate false propaganda showing how they are winning the war and vendors focus on delivering products and services that stop bad things from happening we will win in the long run.

What we can learn from “Envelopegate”

Many years ago, I ran a technical production company supplying lighting, staging, AV equipment and the people that went with them. We did our fair number of awards shows. Nothing on the scale of the Oscars, but I was there when people received awards that changed their lives and their company’s fortunes. I have also had the opportunity to work on live televised events. Nothing with the audience of the Oscars but with the majority of the same roles and processes in place. I have also been the “talent” on stage at events with live audiences often bigger than those in the Dolby Theater and have an understanding of what that entails.

If you have not experienced the backstage of a large event then picture a time when you felt most out of place, make it very dark, speed up time by about 50% and you are there. There is a new language to learn, strange customs, a complicated organizational hierarchy, invisible sight lines to stay behind and an understanding that no matter what “the show must go on”. It is not the natural environment of two no doubt highly accomplished partners from a very well respected accountancy and professional services firm.

Like most I was not overly surprised that the Academy elected to scape goat Brian Cullinan and Martha Ruiz of PwC and have them kicked off the account. A mistake was made and action was needed to quell the developing media hysteria. Some commentators have questioned why Martha was also sacked given that Brian handed Warren Beatty the wrong envelope. In an article from the BBC that I read before based on an interview with Martha revealed the process they go through to memorize the results so that the person stage left and right know what should be announced in each category. This made them both responsible for not identifying and resolving the issue faster.

Only a few people were backstage at the Dolby Theater on Sunday night and saw what actually happened in the seconds after Faye Dunaway said the words “La La Land”. An interview in The Wrap based on an interview with the lead stage manager Gary Natoli loads the blame on the PwC partners claiming “they froze”. To hammer home the point the article mentions that there was some discussion the prior day of the protocol should an event like this this happen. Natoli alleges that Martha was that Natoli was stood 5 feet away from her as this unraveled and she said nothing. He says he had to walk past her during this as he escorted the host Jimmy Kimmel into the audience where he could get into position to do a closing piece with Matt Damon. My read of this is that Martha was left alone at the side of the stage.

So why does this all interest me?

It is because I think it is a great and very public demonstration of how not to deal with an incident, or more precisely how not to prepare for one.

The reason that the stage has its own language, strange hierarchies, customs and working pace is that it is an environment where things are expected to go wrong and people have been drilled in how to deal with change. Any production requires planning and rehearsal which builds on years of practice. Everyone in the system learns their role and gets to test their capabilities and learn how they react. This is not the case for two partners from an an accountancy firm. Once a year they get to step outside of their world and go backstage. If there was a discussion about the potential of a mix up then they should have rehearsed what to do. Used that exercise to identify issues and worked to resolve them. Perhaps the stage management team would have chosen to allocate each accountant with an assistant stage manager to stick to them and act as a liaison. Proactively checking everything was OK at every step and the second it was not reporting it up their chain of command to the stage managers and show’s producers in the gallery.

Now imagine a similar event occurring Inside your organization, say a major data breach. Hopefully you have a plan. You will probably have done tabletop rehearsals with the core team. You will have identified internal stakeholders and key external resources. What thought have you put into how all the human interfaces will work, and have you tested them?

Or will you just keep your fingers crossed and hope for a repeat of last Sunday, where there just happened to be a professional well versed in spotting problems, reacting quickly to changes and taking charge on hand? Unfortunately, people who are able to do what Jason Horowitz did are rarer than you think. Also, having your customers clear up after your mistakes is not the way to go. Do what the Oscars team should have done. Recognized that they had people as part of their team who will not be as practiced or potentially skilled at reacting and so practiced and implemented compensating controls as needed.

Oh, and if I were PwC next year I would for the night hire two retired Secret Service Agents to work with your partners, memorize the results and be empowered to step out onto that stage.

The Password is dead. Long live the Passphrase.

Eliminating the need for a user to enter a password to authenticate themselves has been a hot area of research and development for many years. I have played my part in this process, partly because it has been my job but also because like just about every sane person I hate passwords. My hatred is multifaceted, but after an awful lot of consideration I have boiled it down to just two primary reasons.  Firstly, there are just too many of them, most nearly everything we access has a password or a PIN. One of my favorite slides to use is a waist line shot of a medieval jailer with a big ring of keys. The idea being to imagine what we might look like were all of the keys we have made physical. Secondly it is the inconsistency in length and complexity between sites and applications. I am not going to name the companies but if you limit or implement strange rules on the combinations of uppercase, lowercase, special, and numeric characters I can use I am going to suspect that you have a problem inside your authentication system (I have seen rules set so that users cannot set passwords that look like the ones that are either hard coded inside an app or have hardcoded special characteristics). Oh, and if you limit the number of characters you are going to make my blood boil as I want to be able to kill your password with a passphrase!

Yes, that is right. Even though I fully support all of the efforts to replace a wide array of authentication mechanisms with something that is based on “something I have” or “something I am” or a mashup of them like UnifyID. I still want to have “something I know” as part of certain authentications. And I want it to be a long and as complex as I want and I want it never again to be called a password.

I especially want to use passphrases to authenticate me at critical points in important transactions. I might be really happy to use a password less authentication mechanism to gain access to my email, a great improvement over the saved cookie offered now. Should I however want to delete my mail account do I really want to trust that to an “are you sure?” dialog? Probably, actually most definitely not. Same as when transferring large sums of money, electronically signing an important document or granting delegate access to a key system. I want to be forced to supply something that I and only I know, have both length and complexity but be easy to remember. Enter the passphrase.

I do not need to explain the science when there is an XKCD cartoon that does it so well

XKCD Cartoon on Password Strength
https://xkcd.com/936/

https://xkcd.com/936/

Anyone who has watched me while setting a passphrase will have seen me scouring my environment looking for inspiration. One thing that I have learned is that I can associate where I am, the items surrounding me and my physical sate when I set a passphrase for a particular service. Once upon a time my main corporate passphrase revolved around a chance encounter with the actor Warwick Davis having a good time in the bar of a London hotel where the heating in the bedrooms was stuck on in that rare thing a British summer! It read like a tabloid headline but to this day I can remember it.

There is another reason I want to be able to use passphrases and that is they are a very good mechanism to detect duress. When designing a secure system, process or procedure we must always look to the limits. Duress codes are not something that most private individuals will be that familiar with. The only likely contact they may have is via a home or business security system where entering a special reset code triggers a silent alarm but at the premises appears to have performed a reset (usually by swapping the last two digits). The use and application of duress codes is complex and in some situations contentious but I would like to maintain the ability to be able to implement them. They are also much easier to hide in a passphrase as the user can set their own subtle rules that distinguish the real from the distress.

To get the ball rolling I am suggesting that we all adopt one simple change. Delete the word “password” from our vocabulary and replace it with “passphrase”. Then as we start to roll out more modern authentication solutions and ask users to define a phrase they will see it as a clean break from the past and into the future of easy to remember high entropy phrases that can support features such as hard to detect distress codes.

RSA Conference 2017: In Search of a Theme

This is the first year in a very long time that I have been at RSAC and not been there representing a major exhibiter. I was expecting that to give me more time to explore see things that I often miss. Turns out that is not the case.  Through a combination of having to walk further as the conference has definitely spread beyond the Moscone and the nearby hotels, and being stopped every few minutes by people asking what I am up to, I think I am actually seeing less than I did last year!

My big observation so far is that I am not really seeing one unifying theme. I do not mean the one that the organizers create which this year is the ever optimistic “The Power of OpportUnity”. I mean the common thing that appears in most presentations, stand shows and hallway chats. The only common thread as with so many other aspects in life at the moment is some degree of uncertainty in the forthcoming stances that will be taken by the incoming administration. If however you dig down a bit you do hear the usual perennial themes. The reality of the lack of skilled personnel in our industry. The need to provide effective controls to our information and identities. The fear that is building within organizations around their reliance on and therefore vulnerability to attacks on their IT infrastructure, be that DDOS, ransomware or fraud, I have heard a dozen people predict a major public business fails in 2017!

It is going to be a long week and I look forward to trying to see more of it.