Two years ago, my colleague Ben Tomhave and I wrote an article titled, Information Security and the Importance of Context. 

Perhaps we were ahead of our times, as a new report from Gartner — Effective Security Monitoring Requires Context — echoes some of the same sentiment.

In the report, Gartner Distinguished Analyst Mark Nicolett notes that the rapid discovery of a breach is key to minimizing the damage of a targeted attack.  And if you are the victim of a targeted attack, anything less than a targeted remediation effort is insignificant. 

In those 49 words, Nicolett subtly delineates between an organization that is on top of its information security effort, and those that are playing information security charades.

It’s 2010 — and far too many organizations are still clueless regarding their security risks.  They buy security products, write security policy, and do security things; but they lack the context in which to execute security initiatives.  They end up doing a security dance, but in the words of Billy Idol, they are dancing with themselves.

There are myriad excellent security books, articles and blogs; but the only way to use that information within your organization is to have a context in which to apply security processes.

The industry has also created a plethora of security best practices, which are often quite effective.  But if you don’t know your security problems, the “bestest” of the best security practices won’t do much for you.

So what do you need to know?  Know your enemies, know your security threats, and within that context, create a security strategy.

Nicolett breaks context down into four areas: user, data, application, and external threat.  Creating a matrix of your risks against those areas is fundamental.  Once that is done, a formal information security strategy can be executed.  The addition of context to your security event monitoring infrastructure will increase the likelihood of early discovery of a targeted attack, resulting in shorter recovery time, reduction in losses and other benefits.

For organizations that have done that, they find their security product purchases are radically different.  Rather than securing themselves against blah, blah, blah threats, they have metrics to show how effective they are.  Security purchasing costs go down, while the level of protection improves. 

On the web, content is key.  When it comes to information security and protecting your digital assets, context is key.  Know your context and protect your infrastructure.  If not, it is back to blah, blah, blah security.

Before I became a CSO, I thought the perfect night out was dinner and a movie.  Now, while I still like to see a good movie, the opportunity to get together with my peers and talk about issues at work — the ones that keep me up at night — beats any Hollywood blockbuster.

This Wednesday evening, July 28^th, I will be hosting a dinner for Chicago-area CSOs to talk about these very issues.  I know that I’m looking forward to finding out how others are dealing with risk management issues, success you are having with getting a seat at the boardroom table, how cloud computing is changing how you allocate security resources, and sharing my experiences and successes in protecting data and managing risk at a global level.

To register for the event, please contact Kurt Luporini, BT’s security specialist in the Chicago area.  If you’re not able to join me for dinner on Wednesday, why not connect with me on LinkedIn either directly or through the Security Leaders Group.

The National Security Agency recently unveiled a program to help secure the networks of crucial domestic infrastructure, including the networks of electrical companies and nuclear power plants. Called “Perfect Citizen,” the program is geared to bring attention to the possibility of grid hacking.

Interestingly, a recent Wired article asked, “…if it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?”  According to the article (“Hacking the Electric Grid? You and What Army?” (July 13, 2010):

Your average power grid or drinking water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the U.S.  What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country?  They don’t want to fiddle at the edges, mind you.  They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like:  Where are the power plants?  What kind of plants are they? What sort of fuel do they use?  Who built them and when?  What sort of materials and technology were used when they were built?  Who manufactured the generators, turbines and other key equipment?  Whose SCADA software are they running?  Who runs the plants?  How does fuel, people, supplies get into or out of the plant? What sort of security do they have?  And perhaps most importantly: which plants supply power to which parts of the country?

While the Wired article included a lot of questions that are interesting, we ask: Are foreign attacks on our nation’s crucial infrastructure possible?  Our answer is absolutely. This is a real security threat and one that shouldn’t be taken lightly.

In fact, The New York Times reported last week that a new virus targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. While the SCADA systems that run the software are not typically connected to the Internet, this specific virus spreads when an infected USB stick is inserted in the computer.

To assist these organizations, BT Managed Security Solutions Group offers a multi-layered, holistic approach to secure critical network infrastructure (CNI) and organizational monitoring. This offering enables any organization to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

With a holistic approach, the footprints of an attack may be discovered across multiple systems or even across multiple operating areas.  As organizations merge to achieve economies of scale, disparate geographic operating regions become interconnected via common enterprise environments.  

In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.

The fast and accurate detection of security-related events is an organization’s first line of defense against security intrusions.  This can only be achieved through a holistic solution that provides enterprise-wide security by aggregating and correlating information from both critical network infrastructure and enterprise networks, providing organizations transparency into their security posture.

By Jill Knesek, Chief Security Officer, BT Global Services

There aren’t many times I check in on the trade publications and see an article that really hits on the issues faced by the C-level audience in the security sector.  Frankly, we’re an unusual bunch, with very specific interests, issues, and concerns.  But recently, I saw an article by Ernie Hayden at searchsecurity.com that got to the heart of some of the compliance issues that I know I face and I’m sure you grapple with, too.

Approaching compliance from the standpoint of managing processes, Hayden outlines five key propositions that can help guide decision-making and apply as equally to PCI as to NERC.  His top picks are:

• Your fundamental obligation to the company is to protect data and prevent loss
• You should know the ins and outs of the regulations your organization is held to
• View training and awareness as key components of your compliance strategy
• Understand the root cause of any issues related to compliance
• The organization should be kept under constant pressure to be in compliance

To read Hayden’s entire article – “How to manage compliance as Chief Information Security Officer (CISO)” — click here. 

And if you’re a C-level or senior security officer in the Chicago area and would like to continue this conversation over dinner, I’ll be hosting a BT Security Roundtable in Chicago on July 28.  To learn more about the dinner, please contact our Chicago-area managed security solutions specialist, Kurt Luporini.

Dramatic increases in vulnerabilities and threats coupled with growing compliance requirements have made security into one of the most challenging domains of IT management.  How can organizations make the most of limited resources without sacrificing strategic business priorities? How can organizations deliver security management at scale, from day one?  

Recent research from Enterprise Management Associates indicates that organizations are turning to managed security services to address these concerns.  In fact, spending is on the rise as more businesses dedicate resources in this area over the next 12 months.

So what has driven this change?  Typically, organizations have been wary of outsourcing in general, let alone giving up control when it comes to securing their more critical assets.  One main driver is that organizations have to do more with less.  As security threats continue to evolve and become more sophisticated; organizations have a better understanding of the implications to their business, yet they oftentimes lack the resources to effectively manage the threats internally. 

While change is in the air, there is still some uncertainty on the option of outsourcing.  So here is our take on the value provided:

• Specialize and highly trained resources: The fact is that attacks evolve every day.  Technologies to protect against these attacks need to evolve to meet the sophistication of new attacks.  But tools alone can’t protect your organization.  By outsourcing, organizations have access to highly trained analysts who utilize the most advanced tools and expertise.  It is difficult for organizations, even at a global level, to maintain this type of internal resource.
• Keeping on top of the latest: Ongoing training for specialists can be a drain on resources.  Continuous professional development requirements should be a part of your MSSP’s responsibilities since threats, attack vectors, attack patterns, and technologies are changing constantly.  When considering an MSSP, ensure that your vendor requires their teams to be certified and recertified on a regular basis.  
• A broader view: Ultimately, the greatest advantage of turning to an MSSP is that vendors have a broader view of events.  An MSSP will see significantly more events than a single company and will have a global view of these events.  This means MSSPs can detect patterns of attacks and see attacks develop in real-time, allowing for quick remediation and in some cases, prevention of an attack all together.  

So when asked if an organization should outsource security or keep it inside, it may not be a simple answer, but each organization should evaluate options and determine which method is best for their needs.  To learn more, go to http://bt.counterpane.com/managed-security-solutions.html

Botnets, in general, are very dangerous and difficult to extinguish.  Within the past several weeks, we’ve learned the Kraken botnet has returned from the dead and is gaining strength yet again.

According to a recent Dark Reading article, the botnet—despite being dismantled last year — has recently compromised more than 318,000 systems.  That is nearly half the number reported at Kraken’s peak!

How does Kraken work?

Kraken came to the fore in 2008, after infecting hundreds of thousands of computers and causing them to send enormous numbers of spam emails.  While the authors of Kraken were arrested in 2009 and the network was disabled, the new Son-of-Kraken seems to be a variation which re-uses Kraken’s malicious code.  This code is propagated by a botnet framework – or butterfly framework – which is known for its efficiency in spreading such malware.  Some of you might remember another famous and large botnet, the Mariposa botnet, which also used the butterfly framework.

Detecting the “classic” Kraken

Botnets are difficult to prevent, and, once a network is infected, are even more difficult to detect.  If you are using anti-virus tools, Kraken is nearly impossible to detect.  AV defenses and anti-malware defenses are often disabled by bots during the original infection.  Therefore, IT professionals must gain network level detection applications.  Suspicious activities that can be used to detect a botnet include:

• DNS lookups to certain domains
• Traffic on unusual (typically high) port numbers
• Connections (or attempts) to IPs in a known range
• Network protocol violation in datagrams or sessions traversing firewall (e.g., encrypted traffic over port 80, or non-SSL over port 443)
• Excessive outgoing emails or other activity not usually associated with business traffic

But to assume you don’t have a botnet infection because there are no visible symptoms is a mistake.  Because bots seek to avoid detection, you need to constantly check firewall and IPS logs to unearth an infection.

Preparation is key

George Hulme said in a recent InformationWeek article, “One thing is certain: current methods of bot detection and remediation are not getting the job done.”

It’s essential that companies ensure they have maximum and continuous early-warning security measures in place to protect the integrity of their assets and mitigate risks.  For BT Managed Security Solutions Group (MSSG) customers, the good news is that a botnet detection module is a standard Managed Secure Monitoring service available to all customers.

BT MSSG has had significant success in using its customers’ firewalls to detect botnets through log analysis and event correlation.  Based on a fundamental understanding of botnet behavior, the BT team reasoned that since every botnet needs to call home at some point in order to be activated, outbound messages traversing a firewall will create detectable patterns of behavior that accurately indicate botnet activity before it has the opportunity to take over your network. 

One question remains — is your company prepared for the Son-of-Kraken?

There are a number of folks in the security industry who have downplayed the realities of cyberwar.  In some circles, the conversation of cyberwar will elicit some interesting reactions and many tend to deny its potency relative to traditional warfare and traditional weapons.

Moreover, many begin to blur the lines between cyberwar, cyberterrorism and other cyberattack scenarios, confusing the topic.  In virtually every conversation of this nature, I’m the one who stands out as the lone voice saying they’re not only wrong, but woefully underestimating the situation.

Throughout history, advances in weapon technology have dramatically changed the battlefield. Everything and anything that can be used as a weapon that offers even the slightest advantage over your enemy will be developed and deployed.

Folks… it is war.  Therefore, within this context, cyberspace has evolved from “advantage acquisition” to weaponization because the battlefield now includes the virtual domain.

Early uses of cyber assets mostly took the form of intelligence gathering to establish situational awareness and, of course, counter intelligence.  Moreover, technologies were employed to advance communications and support accurate mobilization of resources.  For example, the Joint Strike Fighter (JSF), as part of the next generation strike fighter, multi-variation platform F-35, has highly sophisticated computers and communications to align multiple forces for effective, real-time battlefield management.  Cyber has allowed for air, sea and ground assets to work together so there is a unified view of battlefield conditions and enemy activity.

The move to weaponization of cyber technologies is in full swing.  Initially, weaponization in cyberspace involved taking hacker tools and tactics and refining them to be more effective, not unlike riffling of cannon barrels.  It is converting something that is reasonably dangerous and can be generally targeted into a manageable device that can be consistently developed, effectively deployed, and accurately directed at the target.  And it produces the intended results by effectively exploiting vulnerabilities in the enemy’s defenses.

A simple example is malware, which comes in multiple forms with a wide range of impact potential.  However, much of what we experience today is indiscriminant because a common hacker’s mission is to infect any system and as many as possible to build a botnet for dishing out spam or causing havoc. Clearly, the concept is sound but is not conducive to the ultimate role of a weapon.

A meaningful aspect of weaponization is refinement so that it can be accurately targeted and its impact controlled.  Even malware in the wild has been weaponized, retaining its viral, self-propagating features; but it includes highly sophisticated methods to operate in a predictable manner and submit to in-flight commands to adjust to changes in the environment.

However, today’s weaponization has moved well into the development of completely new forms of cyberweapons.  Things that have been researched, developed, tested, and refined from scratch, creating completely new types of weapons – not unlike the hydrogen bombs of WWII – they are game changers.  These new weapons employ comprehensive targeting capabilities, have the ability to effectively navigate cyberspace, comprise a wide spectrum of impact control, and have multipurpose functionality that can change on command or autonomously, based on interpreted conditions.

Fundamentally, cyberweapons are no different from a guided missile.  But instead of traversing the physical domain, they travel across the virtual domain.  In fact, as I write this, DARPA (Defense Advanced Research Projects Agency) is developing (and have likely completed) a cyber range – an environment for test firing cyberweapons.

Make no mistake — weaponization of cyberspace is a reality.

In a just released report from Gartner, Look Beyond Vendors’ Architecture Hype When Selecting Network Security Products, analyst Bob Walder astutely notes that the factors that network security vendors prefer to stress are frequently irrelevant to their enterprise customers.

CISOs and security professionals making products purchasing decisions need to cut through the marketing hype and identify their own real-world needs.  They also must test network security products against those needs to find the most appropriate functionality and performance at the lowest possible cost.

Two of the pragmatic recommendations Walder makes – first, determine your enterprise-specific requirements for network security products with a focus on factors such as required security mechanisms, acceptable network performance impacts, and available IT and information security skill sets.  And secondly, develop a detailed testing plan for evaluating network security products against these predefined requirements.

What far too few companies seem to realize is that computer security products can’t do it alone.  The reality is that effective information security requires a strategic protection program that integrates people, products and technology. 

Too many firms are putting their hopes in the vendors and their products, without first knowing what their specific information security problem is.  When embarking on a security product purchasing decision, how many companies can answer the following fundamental question:  What is your security problem and how do you expect this security product to solve it?  The reason many security product deployments fail is that this essential question was never fully answered.

Any CISO who can’t answer that question is simply helping the sales rep reach their quarterly quota, while doing a disservice to their own organization.

The biggest mistake in security product procurement is that people buy security products without knowing specifically why they are making the purchase.  So what is the solution? 

Stop that cycle by considering the following:

• Understand the limits of security products – There are no silver bullets.  Information security is far too complex to be solved by a single appliance.
• Implement information security products in a systematic and methodical manner – Detail your requirements and map them to the product.  Don’t let the vendor drive the requirement process.
• Information security strategy - Don’t buy information security products if you don’t have a formal information security strategy.
• Policy – It is the underpinning of an effective information security program.  Security products abhor a policy vacuum.
• Focus inward – Don’t look at the micro level of a security product.  Instead, examine the macro level of the security issues of the system or network you want to secure.  Don’t first obsess on the products.  Focus on your staff, internal procedures, requirements, etc.  After you have done the appropriate research and analysis, then you can obsess on the products.
• Most security products are quite similar – As a general rule, most established COTS security products are essentially indistinguishable from each other and can fundamentally achieve what most organizations require. 

Just as the athletes are beginning to get serious in their preparations for the 2012 Games in London, Ray Stanton, BT’s global head of security, business continuity, and governance capability, is urging companies to start their business continuity preparations as well.  Although the Games are all about goodwill on the track, in the pool, and on the field, the propensity for attacks will increase exponentially during the games. 

For Stanton, resilient operations and the ability to maintain a sizeable lead over cyber-criminals all comes down to advance planning.  Leave your data center virtualization until 2011 and you might just be scrambling to make decisions and in the long run, make poor choices. 

Stanton’s key recommendations are:

• Know what constitutes an incident for your business – is downtime as bad as data theft for your organization?
• Think about how your network will grow in the next two years so you can accommodate this growth in your BCDR planning
• Assess the risk of temporary staff and only grant access to trusted individuals and those whose roles require access
• Consider data center virtualization as a way to increase redundancy 

Ray’s comments, along with those of Danny Garvey and the other BT experts quoted in this article, specifically address issues that will affect UK-based companies during the 2012 Games.  Yet their advice is just as applicable to companies in any city that is host to an event that garners global attention.

While these hosts are often iconic “world cities” like London, Washington, D.C., or Berlin, a number of smaller cities – such as Salt Lake City (Winter Olympics 2002), Pittsburgh (G20 Summit 2009) and Toronto (G20 Summit 2010) – are as likely to be thrust into the limelight with all the positive, and negative, attention that entails.

To learn more about how BT is helping its customers get ready for the 2012 games. read the full article here.

BP – a company name that’s on the minds of most Americans today and probably not in a good way.  The crisis we face today with the major oil spill is catastrophic and a direct result of time and cost pressures brought about in response to our increasing demand for energy.

BP is in the news today, but if demand growth for oil continues at this rate and supplies continue to dwindle, the oil spill we face today may seem small in comparison to future accidents.

With the industry trying to keep up with demand, network operations have been centralized, requiring distant controls to be managed over a wide variety of networking technologies, with all the attendant gateways such a model implies. 

While this approach can reduce costs and improve efficiency, it can also open the door to attacks by hackers and cyber terrorists.  This is a very real threat faced by oil and gas companies today.  Researchers have directly warned oil companies across the globe that offshore rigs are highly vulnerable to attacks.  In fact just last year, a contractor in California was charged in federal court for hacking into a digital network in an attempt to disable an offshore rig, after allegedly being angry about not being hired as a full-time employee.  The attack – against a SCADA control system – was illustrative of the types of threats which, if successful, could have grave consequences.  Legacy thinking and a frequent lack of third-party testing and review all combine to create a classic system of unexpected complexity.  These are the most likely to suffer compromise, whether malicious or accidental, resulting in catastrophic outcomes.

A multi-layered approach is critical to securing SCADA networks.  Each of the following layers plays a role in securing mission-critical, real-time control systems:

• Perimeter Controls (Internet or Corporate Perimeter Defense)
• People, Policies, Procedures (Business Continuity, Disaster Recovery)
• Network Architecture (Firewalls, Routers, Switches)
• Network Operating Systems (Domain Security, Active Directory, etc.)
• Host Security (Operating systems of servers and workstations)
• Application Security (SCADA, EMS, Database, Web, and more)
• Unique Secure Requirements for what is being protected (Plant equipment, RTUs, PLCs, etc.)

Each layer requires ongoing testing and evaluation to determine the vulnerabilities that exist in these systems.  Oil and gas companies must consider a holistic approach to their security to avoid a potential cyber attack.  This approach includes:

• Building a road map for security and regulation compliance – what systems are in place and how are they integrated?
• Assessing vulnerabilities – identify and understand current vulnerabilities in  the security of physical, IT and SCADA controls
• Penetration testing – the only way to know if a hacker can get into your network or facility is to actually test the vulnerabilities found with an assessment
• Developing an emergency response and disaster recovery plan – as we have seen with BP, there is a need to have a plan for the unexpected.  Having a such a plan allows an organization to quickly recover and restore critical operational functions after an unexpected event
• Gathering evidence – when critical assets come under attack, quick action is required to gather digital evidence and then use the evidence to prosecute

While this “to do” list for full SCADA security may seem overwhelming, engaging with a professional services organization that can assist in the execution and delivery of these steps — particularly penetration testing and BCDR plan development — can radically simplify the task list.  Learn more about how BT helps companies secure their critical infrastructure.