We are pleased to welcome guest blogger Lars Meyer of Consigas. Based in Dublin, Ireland, Consigas is a Palo Alto Networks Elite Authorized Training Center that specializes in consultancy and virtual training.
The whitepaper from the SANS Institute “Beating the IPS” shows that any Intrusion Prevention System from any vendor can be evaded. The same is true for any other threat prevention techniques from classic AntiVirus to newer technologies like Sandboxing as none of them provide total security on their own.
The good news is that hackers face exactly the same challengeas there isn’t a single attack technique that allows them to accomplish their final objective, of exfiltrating data or taking control of IT resources for criminal activity. Nowadays an attack is a sophisticated, stealthy and continuous process, compromised of a chain of multiple steps that an attacker has to successfully go through in order to accomplish his goal.
To achieve 100 percent security is not possible, but that’s not an issue as long as you keep your IT infrastructure defendable. A good analogy is the human immune system. A healthy lifestyle will keep us fit, but it doesn’t provide total protection from viral infections. However being sick isn’t the end of the world as long as the body is able, or with medical intervention,enabled to effectively defend itself and mitigate the impact of the infection. There is however a big difference between humans and an IT system. We know when we feel sick and we instinctively know when to go to the doctor. Getting this level of insight into an IT infrastructure is difficult, and at the same time there isn’t such a thing as a magic box which instinctively protects your network all on its own.
The solution is what I like to call the magic sauce, which is to put the right combination of threat prevention techniques together to make it close to impossible for an attacker to evade all of them. Palo Alto Networks Next-Generation Firewall isn’t a magic box either, but you can do magic with it if you use it in the right way, along with the other key components of the Palo Alto Networks security platform, including the Threat Intelligence Cloud and Advanced Endpoint Protection, and leverage its full potential.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Jon Oltsik: Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It (2015) by Marc Goodman
Executive Summary
Future Crimes by Marc Goodman details the dark side of technology, examining how new technologies are used and abused for criminal purposes. In just under 400 pages, Goodman provides some basic historical background on computer security and then guides the reader through a cybercrime journey spanning consumer, industrial, medical, and various other technologies.
Fair warning to prospective readers: the story isn’t pretty. The author starts with a wake-up call about data privacy and how a plethora of companies like Facebook, Google, and OkCupid, and the $150 billion dollar data broker industry regularly collect, sell, and abuse user data. When it comes to Internet services, Goodman reminds readers, “you’re not the customer, you’re the product.”
Future Crimes also explores the current derelict world of cyber peeping toms, bullies, revenge porn, and extortion. While these crimes are already rampant today, Goodman theorizes that things will get worse with the proliferation of surveillance cameras, geo-location services, RFID tags, and wireless networking technology. The point is crystal clear: each technology innovation increases the attack surface, and cybercriminals are only too happy to exploit these vulnerabilities for profit.
Aside from level setting on the present, about half of this book examines the future of cybercrime with an in-depth analysis of cybercriminal organizations, cybercrime processes, divisions of labor, specialization, and the overall cybercrime marketplace. This analysis is especially useful for cybersecurity professionals seeking to understand what motivates cyber adversaries and how they do what they do. Goodman also does a good job of aligning cybercrime with the proliferation of Internet of Things (IoT) technologies. The author succeeds in introducing IoT technologies, describing their potential benefits, and then providing numerous examples of how these innovations have or will be used for nefarious purposes.
Future Crimes can be verbose and even alarmist at times, but these are minor shortcomings within an otherwise extremely educational and informative book. The author is especially adept at providing real-world examples, research points, statistics, and news stories to back up his points throughout the text. And while experienced cybersecurity readers may be familiar with many of the events described in the book, Future Crimes goes beyond other books by covering a variety of territories like consumer, industrial, medical, and even military technology threats, vulnerabilities, and crimes. In this way, Goodman weaves familiar cybersecurity events into a unique wide-angle lens of cybercrime.
I found Future Crimes extremely educational and believe it is a worthwhile read for cybersecurity professionals and even business managers interested in learning more about a broad range of cyber risks. As such, Future Crimes should be included in the Cybersecurity Canon.
Review
Being an industry analyst, people often ask me a rather fundamental question: What is the difference between information security and cybersecurity? Some of my peers believe that any distinction between the two terms is nothing but semantics. I disagree. In my humble opinion, information security is inexorably linked to the confidentiality, integrity, and availability of IT assets and infrastructure (i.e., applications, data, networks, servers). Alternatively, cybersecurity is a broader topic that encompasses the confidentiality, integrity, and availability of all connected systems – industrial control systems, medical devices, consumer devices, etc.
With these discrepancies in mind, Future Crimes by Marc Goodman can be categorized as a comprehensive analysis of the state of cybersecurity, its implications on consumer safety and privacy, and the collective impact of cybersecurity vulnerabilities on our society at large.
The book is divided into three sections. In Part One (A Gathering Storm), Goodman explores today’s cybercrime realities. Part Two (The Future of Crime), looks at the cybercrime underworld and maps technology development to new types of burgeoning and creative criminal activity. Finally, Part Three (Surviving Progress) provides some cybersecurity recommendations to consumers, government agencies and technology companies.
In the first chapter of the book (Connected, Dependent, and Vulnerable), Goodman provides a situational analysis describing the state of cybercrime today and how we got to this point. Here, Goodman compares cybercrime to physical crime, explains the differences, and then gives the reader a historical review of computer security and basic malware tutorial. The author then quickly fast-forwards to today’s dangerous threat landscape, illustrating his points by recounting examples of identity theft and data breaches while providing several ominous statistics on the explosion of malware. By the end of the chapter, readers should be well-aware of Goodman’s in-your-face message: ‘Think your online world is secure? Think again!’
With the first chapter as a baseline, Goodman proceeds through the first part of the book by digging deeper into criminal activities associated with the technologies we all use in our daily lives for communication, entertainment, health care, our jobs, etc.
For example, Future Crimes exposes the dark side of all of the free Internet services we all enjoy, such as email, search engines, and social networks. Goodman provides numerous examples of how companies like Facebook, Google, and LinkedIn provide these free services while playing fast and loose with user privacy and monetizing user data as they see fit – today and in perpetuity. Of course, most users have no idea this is happening, as they are relatively defenseless against typical terms of service (TOS) agreements. The author actually cites a Carnegie Mellon University study stating that the average American encounters thousands of privacy policies each year with an average of over 2,500 words.
As if this weren’t enough, the book proceeds with a creepier scenario: everyone is gathering and profiting from our data—cellular phone carriers, data brokers, dating sites, you name it. I was particularly troubled by the story of a supposedly altruistic website, PatientsLikeMe, focused on connecting people with chronic illnesses. As it turned out, PatientsLikeMe was actually selling this deeply personal patient information to a Nielsen subsidiary (BuzzMetrics), which then packaged the data for sale to drug companies, medical device manufacturers, and insurance companies. This served as a strong example of cyber caveat emptor for consumers.
Once readers understand just how vulnerable they are, Goodman shifts the narrative from victims to perpetrators. Part Two of Future Crimes specifies that criminals have always pioneered new ways to use new technologies for malevolent purposes, and this trend is only accelerating with accelerated innovation. The author delves into the organizational structure of cybercriminals, looking at reporting structure, specialization, outsourcing, and the overall criminal marketplace. These chapters act as a Cybercrime 101 course with details about things like the use of money mules, cybercriminal communication using the Dark Net, digital currencies like Bitcoin, and average prices for stolen merchandise like credit card numbers, documents, and even assassination services.
True to its name, the book also examines future crimes associated with evolving Internet of Things (IoT) technologies that combine compute, network, and storage resources with consumer and industrial capabilities. Goodman is a fan of IoT and highlights its potential benefits but is also quick to identify a myriad of vulnerabilities. For example, implanted medical devices (IMDs) like pacemakers and insulin pumps could be remotely controlled and monitored by physicians, improving care and reducing healthcare costs. Alternatively, insecure IMDs could also be hacked and used for criminal acts. Imagine if thousands of diabetics using a particular IoT insulin pump received an email threatening to give them a lethal dose of insulin unless they paid an extortion fee of $1000. Future Crimes looks at many similarly frightening scenarios.
It is worth pointing out a core strength of Future Crimes: it is replete with countless real-world stories and copious data points that accentuate Goodman’s points throughout the book. For example, the book recounts the 2008 attack in Mumbai and describes how terrorists took advantage of technologies like cell phones, GPS, and real-time access to news feeds. Goodman also reveals incidents of cyberbullying, industrial espionage, revenge porn, and outright cyber vandalism. For example, the 2001 hack of an Australian sewage treatment plant that “caused millions of litres of raw sewage to spill out into local parks, rivers, and even the grounds of a Hyatt Regency hotel,” really reinforced Goodman’s message on the cyber risks and consequences related to critical infrastructure.
Future Crimes is not without a few flaws. Experienced cybersecurity professionals are all too familiar with many of the examples cited, and there are certainly other books providing more details about each individual topic. Some may consider Goodman as a cyber “Chicken Little,” pummeling readers, page after page, with a dystopian diatribe about technological evils. The author’s recommendations toward the end of the book are somewhat disappointing; those with cybersecurity policy and management experience won’t find anything new here. Finally, Future Crimes can be a bit verbose and repetitive at times, exhausting even the most energetic reader.
In spite of these few shortcomings, however, I believe that Future Crimes is a very good book. In truth, Goodman is really a technology optimist and does a fine job of explaining the use of technologies for good and evil. While some of the stories are familiar to the cybersecurity community, I found the author’s reviews to be concise and relevant toward a variety of cybercrimes. Future Crimes’ best quality is its breadth of coverage. In just under 400 pages, Goodman seems to cover everything (consumer technology, industrial technology, medical technology, etc.), comes up with specific examples of criminal exploits, and offers intelligent insight about future criminal trends. Well done, Marc!
In my humble opinion, cybersecurity professionals will advance their education by reading this book, so I recommend its inclusion in the Cybersecurity Canon. I would also suggest that business executives read Future Crimes in order to expand their knowledge about cyber risks. This will help CEOs and corporate boards realize that they need to consider cybersecurity vulnerabilities and threats as they relate to employees, products, and the cyber supply chain – not just their organization’s IT assets.
The terrifying remote hack of a Jeep on the highway, as reported by Andy Greenberg in Wiredmagazine , seemingly validates the pervasive, yet vague, fears that many consumers have about the digitalization of our everyday lives. Charlie Miller and Chris Valasek’s demonstration of their ability to control the car’s motor management system, remotely cut the brakes or disable the accelerator, and in certain circumstances, turn the steering wheel, all served as a reality check as to what the future of the Internet of Things might hold.
Additionally, the car hack enables surveillance. Currently, the GPS coordinates of a targeted car can be tracked, its speed measured and its route followed. It is not hard to imagine geolocation and other personal information (e.g., contacts from the dashboard) combined with physical hacks to further increase the threat to drivers.
Hackable Cars
While the 2014 Jeep Cherokee was the focus of this particular attack (apparently accomplished by using relatively inexpensive off-the-shelf components connected to a laptop and broadcasting the malicious data), all cars connected to the Internet are vulnerable to varying degrees. Those models with the most computerized functions, and the fewest networks used are the most hackable. For example, if a car’s engine, braking systems , Bluetooth, telematics and radio functions all run on the same network, it can make it easier for an attacker to gain control of the car’s computerized physical operations .
As Miller notes in the Wired article, “When you lose faith that a car will do what you tell it to do, it really changes your whole view of how the thing works.”
As a result of this hack, FIAT/Chrysler issued a recall for 1.4 million cars for a software update. The upgrade must be manually loaded at a car dealer, and cannot be remotely distributed over the Internet.
Physical versus Informational Hacks
While physical security in a hacked car is the predominant issue that comes to mind for clear reasons of immediate potential danger, hackers can also obtain tremendous amounts of data about the car and the driver’s driving style, speed, and locations. This pervasive data collection is likely to be more valuable to hackers in the longer term. As opposed to a hack over the car controls, which may become immediately obvious to the car’s occupants, a data hack may go unnoticed (for years).
Greenberg uses as an example the ability to track vehicle location and destination searches enabled through a car hack, which points to the level of informational detail that may be obtained by hackers. Building up a database from this information allows hackers to determine where a person lives, works, worships and shops. Over time, they can build an understanding of a network of family and friends; and even predict where the driver will go. Other information that can be obtained from a connected car includes biometric data, telephone calls and browsing history.
The legal landscape
In response to growing evidence that vehicle manufacturers are not prepared to protect the networks they increasingly rely on, with potentially fatal consequences for consumers, regulators are evaluating the protections provided by the legal landscape:
US Senators have introduced the Security and Privacy in Your Car Act of 2015 , which would require the development of privacy and security standards by relevant government agencies.
In the EU, there are currently no initiatives to pass laws specific to the connected car. Instead, the applicable laws are understood to be the EU Data Protection Directive (soon Regulation) and Telecom Laws. These laws will need to be interpreted in relation to connected cars—for example, assessing whether there should be restrictions on vehicle-to-vehicle data transfer. Recently the Article 29 Working Group, which is composed of EU national Data Protection Authorities, issued an opinion on the Internet of Things, including a reference to connected cars and privacy.
To demonstrate to governments that new regulations are not necessary, car companies are developing industry standards. Two trade groups, the Association of Global Automakers and the Alliance of Automobile Manufacturers, have agreed to a set of privacy-enhancing principles effective in model year 2017.
Whether developing new laws, interpreting existing ones, or relying on industry standards, one thing is clear: customers must be able to trust their connected cars, or the “drivable smartphone” of the future is not going to go very far.
Sarah Pipes, CIPP, CIPT Senior Advisor and Data Protection Specialist, KPMG in Belgium
Sarah will speak at the 2015 ISACA EuroCACS/ISRM Conference on Privacy Challenges in the Internet of Things, with co-presenter Ronald Koorn, Partner, KPMG in The Netherlands.
According to the 2015 (ISC)² Global Information Security Workforce Study, 62 percent of nearly 14,000 respondents believe that their organizations have too few information security professionals. Signs of strain within security operations due to the workforce shortage are materializing while companies and organizations are increasingly struggling to manage threats, avoid errors and are taking longer to recover from cyberattacks. The strategies of investing in security technologies, personnel and outsourcing will be insufficient to materially reduce the workforce shortage instantly. An expansion of security awareness and accountability throughout the organization is required. A more impactful approach is to embed real security accountability into other departments; and for the IT and security departments to function more collaboratively. Solving the problem will not just require the orchestration of information security leaders, but all cyber-enabled organizations to elevate the level of importance and ownership of security amongst all employees. Here are some key security essentials that everyone at a business operations should observe.
1. Asset Security — protect the company jewels
Every company has information that it considers to be crown jewels. Perhaps it’s scientific and technical data or documents regarding possible mergers and acquisitions, or clients’ non-public financial information. This is why we must address the policies and processes around the collection, handling and protection of information throughout its lifecycle. Each enterprise should carry out an inventory, with the critical data getting special treatment. Each priority item should be guarded, tracked and encrypted as if the company’s survival hinged on it. In some cases, it may. The concepts, principles, structures and standards used to monitor and secure assets is crucial to the enforcement of various levels of confidentiality, integrity and availability.
2. Security and Risk Management — build a risk-aware culture
The idea is elementary. Every person within an organization can infect it; whether it’s from clicking a dubious attachment or failing to install a security patch on a smart phone. So the effort to create a secure enterprise must include everyone. Building a risk-aware culture involves setting out the risks and goals, and then spreading the word throughout the entire company. But the important change is cultural. Think of the knee-jerk reaction — the horror — that many experience if they see a parent yammering on a cell phone while a child runs into the street. The information security leaders who try to nurture risk-aware cultures should have a broad spectrum understanding of general information security and risk management topics, beginning with the fundamental security principles of confidentiality, availability and integrity.
3. Software Development Security — embed security in design
Imagine if the auto companies manufactured their cars without seat belts or airbags, and then added them later, following scares or accidents. It would be both senseless and outrageously expensive. Similarly, one of the biggest vulnerabilities in information systems — and wastes of money — comes from implementing services first, and then adding security on as an afterthought. The only solution is to build in security from beginning, and to carry out regular automated tests to track compliance. This also saves money. If it costs an extra $60 to build a security feature into an application, it may cost up to 100 times as much — $6,000 — to add it later.
4. Communication and Network Security — establish secure communication channels
Consider urban crime. Policing would be far easier if every vehicle in a city carried a unique radio tag and traveled only along a handful of thoroughfares, each of them lined with sensors. The same is true of data. Companies that channel registered data through monitored access points will have a far easier time spotting and isolating malware. Cybercriminals are constantly probing for weaknesses. Each work station, laptop or smart phone provides a potential opening for malicious attacks. The settings on each device must not be left up to individuals or autonomous groups. They must all be subject to centralized management and enforcement. And the streams of data within an enterprise have to be classified, each one with its own risk profile and routed solely to its circle of users. Securing the workforce means vanquishing chaos and replacing it with confidence.
5. Identity and Access Management — track who’s who
Say a contractor gets hired full time. Six months pass and he/she gets a promotion. A year later, a competitor swoops in and hires him/her. How does the system treat that person over time? It must first give him/her limited access to data, then open more doors before finally cutting him/her off. This is managing the identity lifecycle. It’s vital. Companies that mismanage it are operating in the dark and could be vulnerable to intrusions. This risk can be addressed by implementing meticulous systems to identify the people, manage their permissions and revoke them as soon as they depart.
6. Security Assessment and Testing — patrol the neighborhood
Say a contractor needs access to the system. How do you make sure he/she has the right passwords? Leave them on a notepad? Send them on a text message? Such improvisation has risk. An enterprise’s culture of security must extend beyond company walls to establish best practices among its contractors and suppliers. This is a similar process to the drive for quality control a generation ago. And the logic is the same: Security, like excellence, should be infused in the entire ecosystem. The ruinous effects of carelessness in one company can convulse entire sectors of society.
7. Security Operations — manage incidents and respond
Say that two similar security incidents take place: One in Brazil, the other in Pittsburgh. They may be related. But without the security intelligence needed to link them, an important pattern — one that could indicate a potential incident — may go unnoticed. A company-wide effort to implement intelligent analytics and automated response capabilities is essential. Creating an automated and unified system will enable an enterprise to monitor its operations — and respond quickly.
8. Security Engineering — access and mitigate vulnerabilities
It happens all the time. People stick with old software programs because they know them, and they’re comfortable. But managing updates on a hodgepodge of software can be next to impossible. Additionally, software companies sometimes stop making patches for old programs. Cyber criminals know this all too well. In a secure system, administrators can keep track of every program that’s running, be confident that it’s current, and have a comprehensive system in place to install updates and patches as they’re released. Balance managing risk and enabling innovation. The administrator and/or security leaders should know the practice of building information systems and related architecture that continue to deliver the required functionality in the face of threats that may be caused by malicious acts, human error, hardware failure and natural disasters.
In an earlier blog post I mentioned that the challenge for securing mobile devices has been formidable for many organizations. The limitations that arise out of classical approaches and assumptions towards security have led to many dead ends in the era of BYOD.
By working with AirWatch by VMware, we have developed a number of technical integration points that address the challenge for securing BYOD by providing ways to secure business apps and data and stop threats while still respecting the boundaries of privacy of personal data and traffic. This type of work is only possible by bringing together our engineering teams to design features in our respective products and develop the necessary APIs to exchange the information and make the best policy decisions.
Palo Alto Networks and AirWatch by VMware have a close partnership that makes this type of interaction possible. This week, we are at AirWatch Connect 2015 in Atlanta, and proud to highlight yet another development in our relationship.
AirWatch announced the AirWatch Mobile Security Alliance, an initiative that highlights the growing concerns over mobile threats and provides AirWatch customers with trusted, tested and integrated options to provide protection. Palo Alto Networks is as a member of the AirWatch Mobile Security Alliance, and customers who depend on AirWatch to manage their mobile devices can use integration with Palo Alto Networks to inspect business traffic, stop known and unknown mobile threats, and identify mobile devices that are already infected with malware.
At AirWatch Connect, the Mobile Security Alliance is front and center as one of the major focuses around security. If you’re here at the conference, be sure to see the announcement at the keynote session and stop by and see us at the Mobility Expo. If not, you can learn more about the partnership from www.paloaltonetworks.com/airwatch. I look forward to seeing you here in Atlanta!
