After Slow Start, the Cybersecurity Coordinator Appears to be Gaining Momentum

July 19, 2010 by Leave a comment

It was very encouraging to hear the updates from Howard Schmidt, the White House Cybersecurity Coordinator as reported from the meeting held at the White House on July 14.  The meeting was obviously designed to show progress on the cybersecurity issue and demonstrate that the White house still intended to take a leadership role.  Homeland Security Secretary Janet Napolitano and Commerce Secretary Gary Locke attended the meeting as did IT Security leaders from the DoD, NSA, FBI, and several other agencies.  Most importantly, the President himself made an appearance to provide his support, which was a key visual for Mr. Schmidt as he continues to get his hands around the role.

This blog has been consistently critical of the large gap between the announcement of the role of Cybersecurity Coordinator and the appointment of Mr. Schmidt.  However, there are very promising signs that progress is being made and that Mr. Schmidt is a good fit for the role.  I have been to numerous events where Mr. Schmidt has spoken, and he is obviously eager to take the cybersecurity masses to the public and be accessible.

I had the unique opportunity to speak briefly with Enrique Salem, the CEO of Symantec at a reception following Symantec’s Government Symposium last month and Mr. Salem is an enthusiastic supporter of Mr, Schmidt.  This is consistent with the overwhelmingly positive feedback from everyone I have encountered in the industry that knows Mr. Schmidt or has firsthand experience working with him.  He seems to be the right person for doing a delicate and challenging job.

When I worked at webMethods, CEO Phillip Merrick often used the metaphor of the railroad junction approach employed by the Union army in the Civil War.  It was an important tactic of the Union to divide and attack the Confederacy by controlling important railroad junctions.  Merrick was speaking toward controlling important junction points in electronic commerce, but I was reminded of the metaphor when thinking of the criticality between the defense of our country and cyber security.

The railroad junction approach is a representative tactic to a broader strategy of warfare: targeting all of the things that enable an enemy to wage war, thereby weakening that enemy and forcing a more rapid conclusion to hostilities.  The United States has based much of our ability to wage war on our ability to effectively network information.  That makes these networks a logical attack point for our adversaries, and we must do all that we can to prepare for that scenario and protect against such incursions.  This is not limited to just the systems supporting the DoD – it is our financial systems, infrastructure, and transportation that are also at risk.

Progress relies on someone to lead policy as well as become an effective facilitator between the government and the industry.  By all indications, Mr. Schmidt is that person, and by appearing at last week’s meeting the President continues to demonstrate that cybersecurity is a priority to the country and that Mr. Schmidt has his support.

As the saying goes, it is not about how you start but how you finish.  We may not have agreed to the slow start regarding the appointment of the Cybersecurity Coordinator, but we like the early indications of the direction of the role under Mr. Schmidt.  And we are hopeful for continued progress.

Filed under Endpoint Security Tagged with , , ,

A Condensed Guide to the Security Fails of 2009

December 23, 2009 by Leave a comment

The past several weeks I have been posting a series I called the Security Fails of 2009.  It was designed to be a look at stories that illustrated the challenges faced in IT security as well as some of the broader issues shaping the industry. 

For your convenience, here is a recap with links:

12/10 – The Marine One Breach – illustrates the threats created by unauthorized applications.

12/14 – The Strange Case of the Missing Cyber Czar – a look at the seven months that had passed since the announcement of the position in May.  Obviously the position has been subsequently filled.  Coincidence?

12/16 – Conficker Becomes a Media Darling.

12/18 – Adobe Takes the Exploit Crown from Microsoft.

12/21 – The Heartland Payment Systems Breach – Lessons learned form the largest breach of customer data to-date.

Filed under Endpoint Security Tagged with , , , , , ,

Cyber Czar Announcement Slipped Under the Door – What Does That Say?

December 22, 2009 by Leave a comment

Today it was announced that Howard Schmidt was appointed to the White House Cybersecurity Coordinator position otherwise known as the cyber czar.  Much has been written in our blog about this position since it was announced, and the timing and approach to the announcement has done nothing to eliminate the concerns previously expressed.  I have much reading to do before I comment directly on Mr. Schmidt, but I do have very strong impressions from the way it has been handled.

The position was originally announced at a press conference in late May on the Friday before Memorial Day.  Not exactly a day and time that you would select for something of importance or to maximize the impact.  Months passed as candidates not only turned down the position, but candidates like Melissa Hathaway left the government for the private sector. 

And now we get an announcement stating the position has been filled on the Tuesday of Christmas week, in a city where most of the government is closed because of a record setting snowstorm.  The announcement gets a mention on the White House blog with a picture of the President shaking hands with his new Cybersecurity Coordinator in what appears to be a hallway.  No press conference, no fanfare, no President standing at the side of the new Czar as a show of support to the position and a commitment to the idea of cyber security. 

I went to the White House press page at 11:00 am EST and there is no formal announcement.  There is news about the Enactment of the Airline Flight Crew Technical Corrections Act, something about agencies cutting spending by $19B, and some nominations that were sent to the Senate, but nothing about this position. 

I am sure there will be Obama acolytes that will line up to applaud the announcement, but I find myself angry today as I weigh what I see from the White House.  I have the somewhat unique perspective of being a marketing person in cyber security.  That means that cyber security is important to me and I have a taste of the threat against our country.  As a marketing person, I see the not so subtle signals being sent by the White House regarding this subject.  Put this in context of the amount of energy thrown at other items such as the Chicago Olympic bid, and it is reasonable to draw the conclusion that the White House is not committed to cyber security and this role.  

I would be a lot angrier if I had not spent the last year working with people at NIST, the NSA, the intelligence community and the DoD who are proactively and energetically looking for new and innovative ways to protect our government from malicious attacks.  Best of all, these groups are working together to share data and knowledge in a way that would make taxpayers happy and proud.  So I’ve seen real, actionable progress taking place long before Mr. Schmidt assumed this role.   

To be clear, I never viewed the cyber czar as some sort of mythical figure that could solve our cyber security problems with a wave of the hand, but I was hopeful that the role would serve as a way to focus attention on the problem and help create a sense of urgency toward progress.  And if that person was seen as having the “full faith and credit” of the President, it would give that person some authority to be something other than a figurehead. But that is exactly how I view this position today – a campaign promised fulfilled in the least effective way possible and with minimal authority, buried in slow press days.

This week we got news that our military drones had been hacked with $26 software, a plea was entered in the Heartland breach by the same person who pulled off the TJX breach (who used a simplistic and well known SQL injection technique to penetrate Heartland), and that Twitter was disabled completely by a DNS attack.  And we get a tepid announcement the Tuesday before Christmas on a position that it took them seven months to fill.  I’d hate to see what type of catastrophic, IT security based incident it would take to make the White House treat the problem with the seriousness it deserves.

Filed under Configuration and Compliance Management, Endpoint Security Tagged with , ,

Does the Hathaway Resignation Signal Movement Toward a Cyber Czar?

August 4, 2009 by Leave a comment

Yesterday I posted about the two-month anniversary of the May 29 announcement by the White House regarding the creation of the Cyber Czar position and the subsequent lack of progress in finding someone to fill that position.  The proverbial plot thickened that afternoon when it was announced that Melissa Hathaway, acting cyberspace director for the White House National Security and Homeland Security councils, had resigned from her post.

I do not know Ms. Hathaway nor do I claim to be close to the process of selecting the Cyber Czar, so at best what I can do is engage in a well worn tradition here in the Washington D.C. area and speculate.   Numerous reports have said that Ms. Hathaway was interested in the role as she was the lead in creating the Cyberspace Policy Review that defined this new position.  In my view, logic and reason would indicate that if she were going to be the Cyber Czar they would have appointed her at the announcement in May rather than have this uncomfortable and undefined gap we are living with today.  So while reports say she withdrew her name two weeks ago, I suspect that the realization that she was not the administration’s choice came much earlier.  Regardless, the work done on the review was broad and extensive, and she should be recognized for helping to move the dialogue about IT security forward.   I wish her the best in her new endeavors.

I am hopeful that Ms. Hathaway’s departure is an indication that the administration is close to having a name for the position and her exit was designed to make the transition more seamless.   I do not question her stated motives, but having her voluntarily leave prior to the announcement of the cyber czar makes for a much cleaner transition for the President and eliminates the need to orchestrate what could have been an awkward departure.   If the administration is not close to having a candidate, then her resignation will likely have the effect of forcing the administration to accelerate the process as her departure eliminates the safety net that existed with her in the role, albeit as a lame duck.   Or we are faced with the third scenario that the administration is really not that committed to cyber security and that all of this has been fanfare and flag waving with no real sense of urgency.   I sincerely hope that this is not the case, but the administration can only blame itself for creating lingering doubts with the two months of post-May 29 silence.

The next several days should be telling.  If the administration indeed has their person for the job, then I suspect they will give the Hathaway resignation a couple of days to recede from the public consciousness and then make the announcement.  Or we will go back to the awkward silence that, in my opinion, shouts volumes.  Let us hope this marks the way forward.

Filed under Endpoint Security Tagged with , ,

It is August, and the White House has Thrown Out More First Pitches Than Cyber Czar Nominees

August 3, 2009 by 1 Comment

Here we are at the last Friday of the month, marking the two month anniversary of the announcement by the White House of the creation of a Cyber Czar to help centralize the cyber security activities of the federal government and build bridges to the private sector.   And in those two months the President has thrown out more first pitches to baseball games than names for the position. 

As a CEO, I am expected to be right more times than I am wrong, but this is one case where I had hoped not to be right.  When you balance the lack of forward movement with stories such as the one by Brian Krebs of the Washington Post on how much sensitive data has been leaked because of peer-to-peer applications, the outlook is not good.  We were already in a game of catch up, and valuable time has been lost while the gap grows larger.

In this case, actions do speak louder than words, and every day that passes (with no announcement) makes the proclamations of May 29 seem increasingly empty.  After two months it is fair to ask the administration about the next steps and when we will see them.  If no one is interested in the post, then the administration must see that as a clear indicator that the post has not been properly defined and empowered and make the changes necessary to move forward.  The alternative is to find a gamer who will take the job as currently defined only to face a certainly difficult climb to success.

I applaud your stated objective to make cyber security a priority, Mr. President.  But after two months, we need to hear something instead of silence so we know that the initiative is moving forward.

Filed under Endpoint Security Tagged with , , , ,

Tackling the Pressing One Handed Security Topics of the Day

July 20, 2009 by Leave a comment

I had some shoulder surgery on Thursday so I will ease back into the work flow with some short, typeable-with-one-hand subjects.

  • In past blogs we have talked about the ecosystem between Microsoft and the antivirus vendors. The “circle of life” is roughly: MS releases operating systems and software, software has flaws, cyber criminals exploit flaws, people buy AV software. In a recent article in Canada.Com a writer puts some numbers on the affect of an OS release for McAfee and Symantec. Of course, the writer does not single out security related spend so it is very non-specific. But it does put some real numbers into the context of enterprise valuation tied to OS releases and the “positive impact on the entire PC value chain.” There is nothing inherently wrong with such ecosystems and they evolve quite naturally in business. But sometimes protection of a comfortable, mutually beneficial ecosystem can slow innovation, and I am of the opinion that this is the case with IT security at times.
  • A new study shows CEO’s and their management team often disagree on key security issues and the threats to the organization. In short , CEOs do not perceive their organizations as vulnerable, while the next level execs see a different picture. We are not talking wide layers of management between these two views as many of the senior execs report directly to the CEO. There is clearly a disconnect and false sense of security on behalf of the CEO, which leads to obvious issues in funding security initiatives. It would seem we still have some way to go in educating CEOs on the threat level and the potential impact to the organization.
  • Cyber criminals are doing brisk business with malicious sites aimed at those looking to download pirated copies of the new Harry Potter movie. A correlation between Harry Potter fans and computer geeks – who would have predicted?
  • I have led a charmed life and have not had surgery since I was six for tonsils (I never got ice cream, BTW – someone owes me because they always promise ice cream when you get your tonsils out). Prior to the surgery, I cannot tell you the number of times my identity was verified by someone who would look on the information on my bracelet and then ask me personally identifying questions. The number on my bracelet was continually cross matched to the forms. I even had to initial the affected shoulder with the Doctor. Such thorough multi-factor authentication was impressive and laudatory, but threat of malpractice is a major driver to such discipline. This takes us back to the cold hard fact that any security compliance is only as effective as the teeth behind it. Our CEO has been saying as much about the White House Cyber Security Policy and the need for enforcement teeth for it to succeed. What I saw at the hospital is policy driven by real monetary dynamics (avoiding malpractice) that is given high priority from the top.

Filed under Endpoint Security Tagged with , ,

The Korean DoS Attacks, Securing the Sofware Supply Chain and More

July 13, 2009 by Leave a comment

I will take potpourri for $200 Alex…

  • Triumfant CEO John Prisco is quoted in the July 10 post of Byron Acohido’s The Last Watchdog blog regarding the Korean DoS attacks. These attacks have taken an interesting turn as the botnets created by attackers are now literally turning on the infected machines, deleting files and ultimately corrupting the system until it will not boot.  I have read a lot about this attack from many respected members of the IT security community.  Some have assessed the attacks as unsophisticated and poorly executed while others like Acohido and Brian Krebs of Security Fix (which was targeted in the actual attack) are speculating on if is a practice run – a war game – for more targeted attacks down the road.  Either way, it is one of the most interesting story lines since we were all gripped with Conficker fever in the early spring.  I suspect there will be more intrique to come.  If it was a war game, it will be interesting to see how the good guys grade themselves. 
  • I posted a blog entry in June about Securing the Software Supply Chain and how Triumfant can help manage that important part of any organization’s security strategy.  The white paper on the subject is now available on the Triumfant web site for your reading pleasure.  Since many defensive products do their monitoring as malicious software is inbound to the machine, attacks imbedded in what appears to be legitimate software may evade protection.  Because Triumfant looks for changes on endpoint machines, it will detect the event where the imbedded malware “wakes up” and begins its malicious activity.
  • I recently was away at the beach for a week with my family.  I mention that because I did not tweet or blog about the fact that I was gone as there have been reports that people have been robbed after letting the world know through social media outlets that they would be away from their home for extended periods. Which brings me to two points.  First, never underestimate the speed in which the bad guys will find and exploit new paths – in this case social media – to do their criminal work.  Second, security, whether it is IT security or physical security, requires an element of good old prudent thinking to succeed no matter how much technology is deployed.  Human factor eengineering (or stopping stupid as I call it) has been and will always be the biggest failure point in security.
  • Isn’t it time for someone in the Obama Administration to tell us why we do not have a cyber czar yet? I mean really.  I agree with our CEO John Prisco completely and join him in wondering why they would first make the announcement without a person in the spot much less go six weeks after the announcement without a nomination.  The claims of IT Security being a priority are starting to sound very hollow.

Filed under Endpoint Security Tagged with , , , , , , ,

The White House Cyber Security Initiative: One Month Gone, No Cyber Czar, No Progress

July 6, 2009 by Leave a comment

On May 29, President Obama stepped to the microphone and assured all of us that cyber security would be a top priority for his administration. He cited the need to protect the country against the direct attacks on our infrastructure by other countries. He spoke of a “cyber czar” that would help centralize the cyber security activities of the federal government and build bridges to the private sector. And the White House delivered the Cyberspace Policy Review.

The White House has followed up this grand show with…absolutely nothing. Zip. Zilch.

While many in the IT Security industry applauded the event and used all of the hyperbolic adjectives to praise the announcement, I could not help but be concerned. And so far the follow-up and execution has done nothing to take away my fears. One of my specific concerns was why the announcement was made without the cyber czar in place. It is now July and the Obama administration has not yet identified the person to lead this effort. Most concerning is that names for frontrunners have been scarce in a town where speculating on who-will-get-what-post is a full-time hobby. I simply cannot believe that no one is qualified, so my logical conclusion is that those being considered are being scared away by a role that either lacks real power or is too poorly defined (or both). If I am correct, then landing an effective leader will be problematic and the initiative will have little hope of success, as the role absolutely requires someone who can facilitate effective first steps and overcome the obstacles of the politics at hand.

I normally like to be right, but in this case I would have welcomed the opportunity to have been proven wrong. But unless we can roll up the Cyberspace Policy Review and use it to beat away malicious attacks, the cyber initiative is off to a less than promising start. We are stuck at the starting line without a leader, and from all appearances without even the most modest of next steps on the horizon.

I think it is time for the IT Security community to cease the platitudes to the Obama Administration and instead call for immediate progress. We are already behind, and we will never catch up if we cannot make even the first constructive steps forward.

Filed under Endpoint Security Tagged with , , ,

Securing the Software Supply Chain

June 15, 2009 by Leave a comment

I just finished the draft of a white paper on the software supply chain and how Triumfant addresses some of the problems presented in that chain.  The white paper explores how to protect organizations from the subversion of third party software to create security problems in the form of exploits to be used later for malicious activity, or actual malicious code baked into the software.  The growing global economy, the demand for new applications, and the pressure to get those new applications to market quickly are all factors that are driving the problem.  The research brought into clear view that we are in an interesting conundrum because as security threats become increasingly complex and persistent, we are going the exact opposite way in our development processes and methodologies. 

Think about the gold rush to build iPhone applications – just how much time do you think was spent on securing those applications?  The software being developed today is neither designed nor built to be secure.  Today’s developers have had very little exposure to secure development methodologies, and therefore do not integrate sound security practices into their coding and engineering.  Rapid development, iterative design, and the growing use of mash-ups all point to the fact that there can be presumption that security is baked in.  Combine this lack of security rigor with the overt threats of baking exploits or malware into an application and we have a serious security problem.

So back to the conundrum – as the cyber criminals have become more organized and find new and innovative ways to attack our systems, we are countering by rolling out software across our computer populations that is increasingly less prepared from a security perspective.  After all, how much easier is it for a cyber criminal to subvert application software that is willingly distributed by the targeted organization rather than go through all the problems of infiltrating machines one at a time?

Up to the point where I started this paper, I was focused on the more direct acts of infiltration and had not fully considered the implication of the software supply chain.  I actually was pointed that way by someone steeped in IT security who, after getting the three minute malware challenge demo at RSA, noted that Triumfant was uniquely capable of addressing much of the software supply chain issues because of its change detection capabilities.  After my research I have a better appreciation of the problem and now understand that the software supply chain must be considered in any defense in depth strategy.  And not just the normal processes of testing applications before they are deployed, but the vigilance of testing applications post-deployment.  There was actually a great article in PC World about how DISA continues rigorous testing post-deployment. I would also note that the subject of the software supply chain was noted in the White House Cybersecurity Policy Review.

I will address how Triumfant addresses this problem in a future post and provide the link to the white paper as soon as it is ready for prime time.

Filed under Endpoint Security Tagged with , , , ,

Action Instead of Rhetoric – It Can and Does Happen

June 5, 2009 by Leave a comment

The response to Triumfant CEO John Prisco’s less than laudatory reaction to the White House Cybersecurity Policy Review has been interesting to watch.  To John’s credit, he did not fall into line and unilaterally sing the praises of the document or the President’s speech, and his was one of the first voices in the IT security market to express practical concerns over the review.  One of John’s primary concerns was a lack of urgency in regards to taking some real and concrete action sooner rather than later given the depth of our current problems and vulnerabilities.    

One good example of action over rhetoric was made public Wednesday, when the National Institute of Standards and Technology (NIST) announced that they were teaming with the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) and National Institute of Standards and Technology (NIST) to work with the Internet Corporation for Assigned Names and Numbers (ICANN) and VeriSign on an initiative to “enhance the security and stability of the Internet”.  Specifically, the initiative is working to bring a new security technology called Domain Name System Security Extensions (DNSSEC) into use to address known vulnerabilities in the DNS protocol.  The working group plans to deliver an interim approach to DNSSEC by year end and continue to collaborate with U.S. agencies and private sector to further refine the technology going forward.

There is a lot of good in this little announcement.  One, they are addressing – not studying or measuring or debating – a real problem.  Two, this is a collaboration of multiple government entities and the private sector, proving that it can be done without dissolving into Lord of the Flies.  Third, they are moving forward to deliver something sooner rather than later, and will refine as they go.  It appears they have a solid plan with dates and deliverables, and have the proper commitments in place to deliver to that plan. 

I have heard John say this more than once this week and I believe he is dead on right: we have ceded the luxury of debate and we need to move quickly to action.  In regards to U.S. cyber security, the problems we face are deep enough that we don’t need to waste time measuring their depth before we start to fix them.  Action is required and required sooner rather than later, which is why John rightfully asked why the review was announced without a cyber czar selected and ready to get started.  Hats off to NIST and the others behind the DNSSEC initiative, as they are moving forward at a time when more walk and less talk is the order of the day.

Filed under Endpoint Security Tagged with , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 439 other followers