Month: August 2016

Posted on

The Cybersecurity Canon: Rise of the Machines: A Cybernetics History

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Bob Clark: Rise of the Machines: A Cybernetics History (2016) by Thomas Rid

Executive Summary

As cybersecurity practitioners we have a lot to read simply to stay current in our industry. However, after reading the latest threat reports, flash releases, CERT notifications, CVEs and products on emerging technology, we should seek to develop ourselves as complete practitioners. This is one of those books. Understanding our history, and how we got here, makes you a better practitioner with a broad base of knowledge. And hell, who doesn’t love a book that talks about the HAL9000, Arthur C. Clarke, Playboy articles, Omni magazine, AT-ATs, Terminator, Karel Čapek’s R.U.R. (the 1920 Czech play that gave us the word “robot”), Blade Runner, Whole Earth Catalog, Mary Pranksters and acid trips, the counterculture of San Francisco, and finally, finally, lets us all quote the real origins of that much-maligned term “cyber.” Rise of the Machines: A Cybernetics History covers it all, including the arts, literature, and trends in pop culture.

The author, Thomas Rid, is a professor in the Department of War Studies at King’s College London and the author of Cyber War Will Not Take Place and War and Media Operations. Professor Rid’s research is extensive as he takes us through the history of cybernetics, the merging of man and machine starting with cybernetics foundations in Norbert Weiner’s writings in the 1940s and moving through each subsequent decade, including the West Coast techno-libertarians’ addition to the theory, ending with an extensive look at what Rid calls the first cyberwar.

As Matthew Kirschenbaum states in his review:

Rise of the Machines is a sweeping intellectual history, engagingly written and brought to life by numerous details and anecdotes. Cybernetics and its progression of offshoots — cybernation, cyberculture, cyborgs, cyberspace, cyberpunk, cypherpunk, and finally cyberwar — are all disentangled and demystified in its pages.

Cybersecurity Canon candidate books are supposed to be essential to the cybersecurity practitioner, and it’s great to be steeped in your specific knowledge that makes you an expert. However, it is well-rounded practitioners who will distinguish themselves among their peers; reading this book will definitely accomplish that goal.

Review

I confess, any book that can properly define the word “cyber” – I’m all for it, especially with so many practitioners and policy wonks misusing the term. Rid recognizes this and, therefore, uses this historical look to help us all understand where, when and how to use the prefix “cyber.” Rid immediately helps the industry, correctly stating that “cyber” is a prefix being slapped onto anything to make it more techie or interesting. He goes on to answer the oft-asked question, “where did cyber come from?” He slams the door shut on that perpetuated myth we’ve all heard and repeated that cyber is the child of William Gibson’s Neuromancer. “Cyber” was first used as in “cybernetics” a general theory of machines from the early 1940s; it was about computers, control, security, and the ever-evolving interaction between humans and machines.

Rid builds the book’s narrative through eight main chapters that are organized chronologically: Automation, Organisms, Culture, Space, Anarchy and War. Cybernetics found its beginnings in Norbert Wiener’s foundational Cybernetics or Control and Communication in the Animal and the Machine (1949) that became improbable bestsellers. Using this as a launching point, Rid looks at cybernetics through the decades to include not only the technological advances but also the philosophical developments dealing with advances in merging machines with humans. Others mentioned, who come and go along the way, include John von Neumann, Gregory Bateson, Stewart Brand, Timothy Leary and Jaron Lanier.

Developed from the mind of MIT mathematician Norbert Wiener amid the devastation of World War II, the cybernetic vision looked at the merging of man with the future of machines. This need to combine man and machine to improve our defenses and man’s capability to fight looks at the early advances in war-fighting capabilities, not only man becoming engaged with various machines but also computer systems developed, such as our air defense system SAGE – one would say, the predecessor to NORAD.

The 50s and early 60s see the same focus, making technology that can increase man’s power and strength to include fighting devices developed for the war in Vietnam and walking machines that never got past prototypes but preceded the AT-ATs of Star Wars. Ultimately cybernetics finds two competing factions: some seeking to make a better world – Bay Area denizens/libertarians hoping for a new unregulated and uncontrolled digital space – and some seeking to control it (i.e., Washington, DC).

In the 60s and 70s the technology side of the cybernetics movements, changes with the Bay Area’s introduction into drugs, rock and computers. Rid details the rise of this movement including the numerous influencers from the West Coast, including the birth of the Electronic Frontier Foundation, a great organization for defending civil liberties in the digital world.

As the Bay Area movement subsides, the 80s did bring us Gibson’s cyberpunks and “Rid takes us back inside the green machine — the military, specifically the U.S. Department of Defense, aligning the precepts of the AirLand Battle that was supposed to defeat Warsaw Pact tank armies in the 1980s and the post-Desert Storm revolution of military affairs with cybernetic arts of war.” We also see the rise of unfulfilled promises of cool “virtual reality” devices, the prototypes of which were clunky at best and looked like “Dark Helmet” from Mel Brooks’Spaceballs. And let us not forget what the 90s brought us, of course: the crypto wars and introduction of cypherpunks.

Finally, Rid finishes up with a topic near and dear to his heart and extensively researched: moonlight maze, as many U.S. government folks called the first state-on-state cyberwar. (Cyber-espionage is what it should have been classified.) Ironically Matt Kirschenbaum compares Rid’s discussion on this subject with Fred Kaplan’s in Dark Territory, also reviewed by me and on the Canon website. Kirschenbaum believes Rid presents this information much more deeply than Kaplan. And while I know Rid’s research is extensive, I thought both covered it equally well with Kaplan painting the Russian’s actions much better. Then again, I think it fit better into Kaplan’s book and was treated appropriately in Rid’s.

Of course “the climax of the book is its discussion of the complex of public fears around an Electronic Pearl Harbor (the language is Hamre’s), a phrase whose staying power Rid sees as evidence of the machines at their apogee.”

Conclusion

Rise of the Machines: A Cybernetics History will not make you more proficient in your cybersecurity job, unless you’re a policy wonk. What this book will do is make you a better practitioner, well-versed in “the rise of the machine.” And if your promotion comes down to advancing an SME who can speak solely to his/her area of expertise or promoting one that, all things being equal, is more well-rounded then this book will definitely accomplish that and give you knowledge to be used as a cyber-professional. (See how I did that? I used “cyber” as a prefix before “professional.” Tom Rid would be proud – I think.)

[Palo Alto Networks Research Center]

Posted on

LabyREnth Capture the Flag (CTF): First Set of Winners Announced

We’ve had more than 4,000 threat researchers join us for LabyREnth, the first Unit 42 Capture the Flag (CTF) challenge, and we still have two more weeks to go before the challenge closes. The community has put forth an amazing effort across the 6 challenge tracks, and we want to recognize the herculean effort of the select few who were first to complete all challenges and individual tracks. It is a testament to their skill, commitment and time, and we hope they enjoy the $16,000 worth of prizes to which they are entitled. We are holding an exclusive gathering to celebrate the winners at DEF CON this week, and we look forward to seeing them in Las Vegas!

For those of you who didn’t win the grand prizes, LabyREnth is open until 11:59 p.m. Pacific Time on August 14, 2016. It’s a great way to try your hand at challenges, have fun, win prizes, and learn something new.

Please join us in congratulating the initial winners:

Overall winners:

  • 1st to solve all challenges: KT (@koczkatamas) and also 1st to solve the Random track
  • 2nd to solve all challenges: F4b (@0xf4b)
  • 3rd to solve all challenges: Dan Raygoza (@danielvx)

Track winners:

  • 1st to solve Windows track: Wayrick
  • 1st to solve Unix track: Sine (@73696e65)
  • 1st to solve Docs track: Sin__ (@mztropics)
  • 1st to solve Mobile track: n0n3m4
  • 1st to solve Threat track: Nxgr (@Nxgr_l)

[Palo Alto Networks Research Center]

Posted on

3 Important Takeaways from the RBI’s Cyber Security Framework in Banks

In June 2016, the Reserve Bank of India (RBI) sent to CEOs of Indian banks an important circular, the Cyber Security Framework in Banks. The document states that banks have an urgent need to put in place a robust cybersecurity/resilience framework and ensure adequate cybersecurity preparedness on a continual basis. Issuing cybersecurity guidance is not new for RBI, which issued a similar document in 2011. However, this particular document is timely and essential. Information technology (IT) is now part of banks’ operational strategies, essential for both them and their customers. At the same time, as RBI points out, the number, frequency, and impact of cyber incidents on Indian banks has increased substantially. Like their peers globally, Indian banks are committed to maintaining customer trust, protecting financial assets, and preserving their own brand and reputation as the industry will remain a top target of cybercriminals using increasingly sophisticated methods. Thus, it is urgent that banks continue to improve their cyber defenses.

The RBI guidance consists of the overall/introductory framework and guidance and three annexes:

  1. An indicative set of baseline cyber security and resilience requirements.
  2. Information on setting up and operationalising a cyber security operation centre (C-SOC).
  3. A template for reporting cyber incidents to the RBI.

Within the range of instructions and recommendations in the guidance, three things rise to the top as notable.

First, the guidance instructs banks to involve their boards of directors and other senior management in cybersecurity. Boards must approve their banks’ cybersecurity policies and strategies and, more generally, they need to be brought up to speed on potential cybersecurity impacts, including their banks’ preparedness, and the need to manage cyber risks. At the same time, the guidance notes that managing cyber risk requires awareness and commitment among staff at all levels. We agree wholeheartedly. Executives can no longer delegate the whole cybersecurity agenda to the IT division. Because the value of a bank’s brand can be directly affected by security incidents, security needs to become an integral part of the company strategy at the highest possible level, actionable at every branch and corporate site and supported by greater employee awareness. Through our recent book, Navigating the Digital Age, and our online community, SecurityRoundtable.org, Palo Alto Networks seeks to share best practices, use cases and expert advice to guide executives on managing cybersecurity risks.

Second, the guidance directs Indian banks to take a risk management approach to cybersecurity. RBI notes that the size, IT systems, technological complexity, stakeholders, and other factors vary from bank to bank, and thus banks must identify their own inherent risks and needed controls to adopt an appropriate cybersecurity approach. We agree. No “one size” cybersecurity solution will fit all banks. However, there are some best practices that will improve overall cybersecurity hygiene.

Third, the guidance emphasises prevention. For example, the guidance says that banks should not allow unauthorised access to networks and databases, should take necessary preventive and corrective measures, and should endeavor to stay ahead of the adversary. We agree. Given that banks everywhere are constantly under siege from cyber attackers, a prevention-minded philosophy to cybersecurity is needed. Detection and remediation are too little and far too late to properly protect the financial assets and information of banks’ clients. This is where the SOCs called for by RBI will be extremely helpful. Per the guidance, a bank’s SOC should “keep itself regularly updated on the latest nature of emerging cyber threats” and be “well-prepared to face emerging cyber threats such as zero-day attacks”. However, SOCs are just part of the solution. Including cybersecurity in the overall network or enterprise architecture will also contribute to a preventive posture. Palo Alto Networks is focused on preventing successful cyberattacks and can be part of such a layered defense approach.

The guidance’s baseline cybersecurity and resilience requirements are helpful. They include recommendations to meet many of the goals laid out above, such as a requirement to have advanced real-time threat defense and management. However, as RBI notes, the list is indicative and not exhaustive. As they seek to manage their ever-evolving risks, it is critical that banks retain the flexibility to ascertain and deploy the most advanced technologies and processes to ensure the best possible protection of client data and financial assets.

Today’s digital way of life puts immense pressure on the financial services industry. Individuals, institutions and governments demand an unprecedented level of access to their financial assets and information. Clients must trust that their financial assets and information are safe yet also readily available. This trust is best built and maintained with a breach prevention-based mindset for cybersecurity.

and

[Palo Alto Networks Research Center]

Posted on

Mark Kaigwa: Mobility Has Massive Implications for Africa

ISACA Now recently talked with Mark Kaigwa, African IT entrepreneur, about the future of IT in Africa. Kaigwa is a keynote speaker at the first-ever Africa CACS at the InterContinental Nairobi, Kenya, which takes place Monday, 8 August to Tuesday, 9 August. For more information click here.

The following is a question-and-answer session with Kaigwa.

ISACA NOW:  It seems that the opportunities for IT in Africa are endless. Obviously, social media is huge. What other opportunities for IT in Africa do you see over the next 5–10 years?
KAIGWA:  I see mobility as one of the greatest epochs of Africa’s technological history. The last 7 years has witnessed nations shift from cyber cafés as the gateway to the Internet to the pockets of hundreds of millions on this continent. I believe that it is indeed something to marvel at.

The implications are massive. You can no longer have an election without factoring in the broader thinking that goes into the mobile phones we know and love. To the extent that in Kenya, where the inaugural Africa CACS will be held, serious conversations have revolved around whether mobile money and mobile phones should be used in the voting process. To illustrate, the total number of registered voters is estimated at 15 million while there are 25 million mobile money users.

I think the layer above mobile is what excites me as we’re only beginning to see the possibilities. Look at how connected devices are entering various sectors, such as the education system, where Kenya recently piloted a program that will see 100,000 students explore learning aided by laptops.

For national security, there’s been a push in the private and public sectors. When it comes to traffic and mobility, Nairobi loses a colossal amount in traffic per day. An IBM study found it the 4th most-stressful city for drivers (after Mexico City, Shenzhen and Beijing). The yearlong study was on how drivers react and vehicles behave as they negotiate obstacles on Nairobi streets. The public sector has seen the deployment of a national police surveillance system powered by 4G technology from Safaricom. This included connecting 195 police posts and HD and Ultra-HD CCTV cameras monitoring traffic and security connecting to a national command and control room.

Kenya’s investor community is pushing boundaries in the Internet of Things (IoT) with organizations like BRCK educating customers and the market. There is also Product Health, an organization looking into supporting solar enterprises. I have great interest in the data we are generating and what that data means for consumers and companies.

At the same time I recognize the risks. To illustrate, in Kenya today you have people that fall within the cracks when it comes to complying with the checks and balances of traditional access to capital and loans. However, one peek at their mobile devices tells a much better story than any bank account ever could. Companies from Silicon Valley and Silicon Savannah are battling for the future of finance, especially for lending based on mobile data.

Organizations like Branch, Saida and Tala take information on Android phones and score them on virtual creditworthiness. Small factors like how much airtime one uses, how many times you charge the phone each day, whether they gamble on sports betting web sites are included, in addition to their mobile money transactions. Tala claims to have over 10,000 data points to make a lending decision. No paperwork involved. M-KOPA pioneered this on a broader basis, pushing beyond access to mobile phones and consequently mobile money by exploring what happens when you build credit scoring based on purchasing power from micropayments.

Second to that, I’d say that chat apps and instant messaging applications also excite me. I’ve followed the growth of Ghanaian startup Beam and others using WhatsApp as an onboarding process. Remittances across the continent exceeded aid in 2012. Since the rise of cryptocurrencies there are myriad start-ups solving the payments space. Beam began this way but pivoted to a new and more interesting proposition.

It isn’t what gets the money into the country that matters, but where it goes and the certainty one has that it is buying what it was intended to buy. This means that if a person has sent $10,000 to family members to purchase a parcel of land, what else do they have but the family members’ word to go on when checking to see that this is what it was spent on?

ISACA NOW:  What are the challenges to Africa’s IT revolution? What solutions do you envision?
KAIGWA:  If we take the two above scenarios, they invariably bring security challenges. The issue of cybersecurity is one that has people divided.

The greatest of these is that on the connectivity front. I’m interested in seeing how the debate on net neutrality plays out on the continent, particularly after India’s decision on net neutrality; we have yet to see any clear reverberations on the continent.

The continent isn’t homogenous. There are 54 different negotiating tables for Facebook to sit with regulators. It is also worth noting that the way true regional lines get erased is when telcos are able to use their borderless technologies and economies of scale to facilitate entry for technology giants. The case in point is Airtel as a partner for Facebook’s Internet.org on the continent.

Mobility itself remains a challenge. Yes, one can engage and build with mobile in mind, but that is not the be-all and end-all of technology. Challenges and pain points in the user experience of unstructured supplementary service data (USSD) are an area that needs further thought. The need to go through menu after menu can prove taxing, especially given the number of timeouts. User experience on mobile (outside of apps) remains a challenge. This considering that USSD does not grant uniformity. From an iPhone 6S plus to a Nokia 3310 (were one to be revived and put back on a network) the interaction is virtually the same.

Regarding mobile money, the Brookings Institute noted that when South American countries were compared to African ones (especially those advanced in the penetration and use of mobile money), there were generally higher rates of formal bank account ownership among marginalized groups (i.e., women and low-income individuals) and higher rates of debit card, credit card use and Internet use for bill payments and purchases than the African countries. Conversely for Africans it remains primarily mobile driven. I’m exploring what this means when it comes to delivering a consistent and cyber-secure experience on mobile channels to customer segments not aware of risks and vulnerable to fraud.

ISACA NOW:  Where are African enterprises at from a cybersecurity standpoint? Where are African citizens at, cybersecurity-wise? What are the challenges and solutions?
KAIGWA:  The biggest challenge here remains as seen above, to categorize the continent as homogenous. As is becoming an adage now—Africa is not a country. The contradictions, challenges and comparisons between countries yield different results each time. One can, however, find parallels when looking at the four corners of the continent. Kenya for East Africa, Nigeria and/or Ghana for West Africa, Egypt for Northern Africa and South Africa for Southern Africa.

To illustrate, one of the continent’s main pan-African organizations, the African Union (AU) in 2014 adopted its Convention on Cybersecurity and Personal Data Protection. The Convention sought to improve how African states address cybercrime, data protection, e-commerce and cybersecurity. Presently, only 8 of the AU’s 54 members have signed the Convention, with none ratifying it. The solutions will take a country-by-country examination of common ground and political will to take action as the consequences will be felt by nation states and the current and next generation of Africans coming online.

ISACA NOW:  What will be the key takeaways from your address?
KAIGWA:  The key takeaways will be 3 provocations for Africa CACS based off of looking at the continent and observing the rise in mobility, the opportunity and threats, and how stakeholders in the public and private sectors and the general public can compete or collaborate to Africa’s advantage and strengths.

My talk begins and spends time looking at what one of the more recent digital “arms race” developments looked like and what the consequences are for the ISACA fraternity and beyond.

 Editor’s note:  For more information on the first-ever Africa CACS, 8 August to 9 August, click here.

Mark Kaigwa, IT Entrepreneur, Nendo

[ISACA Now Blog]

Posted on

Six Ways to Deliver Better Risk Assessment

Over time, the term risk assessment has become so commonplace that it has almost lost its meaning and is now much maligned.

Organizations run helter-skelter carrying out risk assessments that eventually become exercises in futility. One wonders why well-meaning managers, highly paid consultants and C-suite members with years of experience, access to tons of research, and armed with the best intentions eventually end up with unusable outcomes?

Here are 6 key lessons from more than a decade of working with organizations across the board on risk assessments from various perspectives, including information security, application security, health and safety, and a project standpoint. They include:

  1. Strategize:  The first step is to put in place a well-defined and articulated strategy which not only becomes a guidepost which can be revisited time and again, but which also can be the buoy you cling to when the time comes. A clear, well-articulated strategy can go a long way in ensuring successful risk assessments and driving outcomes.
  2. Keep it simple:  Simple is the friend of the wise and can go a long way in ensuring effective risk assessments and outcomes. A simple risk assessment is aligned with strategy, has wide and deep buy-in, and can help keep things practical. Simple risk assessment approaches deliver results easily and enable stakeholders to use them to manage risks effectively. Characterized by very close alignment to the organization and its context, its culture and ease of use, keeping it simple can help ensure sustainable success.
  3. Buy-in, buy-in, buy-in:  Irrespective of the reason for the risk assessment, effectiveness is determined by how deeply various stakeholders are involved, how much information is shared, and how the outcomes are perceived. Stakeholder buy-in can determine how the risk assessment is approached and how various stakeholders get involved; a sure shot way to achieve success. Buy-in is easier said than done and requires effective training and communication, transparency on all aspects relating to the risk assessment, a risk-aware organizational culture, and most importantly, visible management commitment.
  4. Perfect is the enemy of practical:  Aiming for perfection is desirable, but in most organizations considering day-to-day requirements, the outcomes expected and constraints ranging from limited time, the need to take action as you go along on identified risks, the dynamic nature of risks, and the need to balance risks and costs involved, it is imperative to ensure that the focus is on the practical. Being practical means the risk assessment used is repeatable, reliable and produces consistent results over time. Remember:  you want to be able to identify potential risks and take reasonable actions to mitigate and recover in case risks occur.
  5. Benchmark wisely:  A key piece of advice on risk assessments is to benchmark. Assessing the outcomes of your risk assessment against what your peers in industry are doing can give your efforts a sense of stability and provide much needed navigational support. But it is worth remembering that your industry peers are as fickle as you are and no one wants to share information that is less-than-stellar. Very often benchmarking data comes with small print which simply means that the data is usable under certain standard test conditions and may be impractical if not outright nonsensical.
  6. Modeling is best left to the ramp:  Ok, I know your eyebrows might have merged with your hairline, but the point is, unless models are chosen appropriately and customized to suit your organizational needs and the purpose you have in mind, off-the-shelf models can actually make things more difficult. If you must choose a model, keep it simple (see point 2 above).

Combine the above in the right proportions and your risk assessment is guaranteed to deliver results and go a long way toward achieving organizational objectives and strategies leading to effective risk management.

R.V. Raghu, Director, ISACA

[ISACA Now Blog]

English
English
Exit mobile version