In my previous post, I spoke about all of the different DEFCON villages where attendees can learn about and purchase all sorts of fun hacking/counter hacking tools. Even so, I covered only a small fraction of the activities at the conference. For example, attendees have the opportunity to participate in a lot of contests run […]… Read More
The post Hacking Is Not a Crime! Additional Thoughts from DEFCON 2019 appeared first on The State of Security.
Fall is officially here, and that can only mean that SecTor is right around the corner! All summer long, I’ve been planning and prepping new ideas for this year’s IoT Hack Lab and training session. With just a few weeks to go until the conference kicks off, I’m more than a little excited about the […]… Read More
Every year when I go to Black Hat USA and DEFCON, I am reminded of the constant battle between light and dark…wait…that’s Return of the Jedi…. I mean of the constant battle between infosec and the big bad hacker. And it’s not just the uber sophisticated hacks that involve fuzzing and SQL Injections (Am I […]… Read More
Cyber Security for Executives (including deans and small business owners).
This year’s conference at the Johns Hopkins University covered ground of interest to business leaders, especially with respect to the implications cyber risk has for their legal and contracting activities. The executives for whom the conference was organized were expansively and quite properly defined to include not just the denizens of a Fortune 500 C-suite, but small business owners, partners in medical and accounting practices, college deans, and so on.
In his opening remarks, Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University’s Whiting School of Engineering, reviewed his “Unlucky Top 13” list, an inventory of recent security horror-shows. He thinks these incidents (the Equifax breach being the one that’s arrived with most éclat) may have induced the public to pay attention, and may finally be moving people away from what Dahbura called “the gazelle mentality,” that is, the comforting thought that if you stay close to the herd, you’ll be OK. (You won’t.)
And Bob Olsen, CEO of event sponsor COMPASS Cyber Security, closed with some effective analogies security professionals can use to communicate with the business leaders they support.
Strategic perspective from US Cyber Command.
Guy Walsh, Brigadier General (retired), US Air Force, and currently responsible for strategic initiatives at US Cyber Command, delivered the conference’s opening keynote. He began with a quick observation about Equifax, saying that the incident should serve as a reminder that it can take time to patch and address known vulnerabilities.
He described the emergence of cyberspace as a fifth operational domain, joining land, sea, air, and space, and he described US Cyber Command as a warfighting organization recently elevated in status and sharply distinguished in its mission from the National Security Agency.
Walsh reviewed some Air Force history, and claimed that the first insider hack of the USAF was done in 1963, by John Boyd, the leading thinker of the Fighter Mafia. Boyd is more familiar as the officer who formulated the concept of the OODA loop, the cycle of Observe, Orient, Decide, and Act that he outlined in his Discourse on Winning and Losing. Boyd argued that if one could execute that cycle faster than one’s adversary, “get inside their OODA loop,” one would have a decisive advantage in combat. Getting inside the OODA loop, Walsh argued, was as important in cyberspace as it was in air-to-air combat.
After describing Buckshot Yankee, a Russian attack against US Central Command with Agent BZT, Walsh outlined the strategic adversaries the US faces. They are, as many others have said, Russia, China, North Korea, Iran, and terrorists. In this threat environment Cyber Command operates National Mission Forces, Combat Mission Forces, Cyber Protection Forces, and, against ISIS, Joint Task Force Ares.
One trend and two observations Walsh made have implications for most enterprises, not just Cyber Command. The trend he sees is that big data and artificial intelligence will change the dynamic in cyberspace. His two observations with broader implications were, first, the point that retaliation against cyber attack need not be exclusively or primarily cyber retaliation. It may not need to be cyber retaliation at all. And second, when he described the three major Cyber Command exercises (Cyber Flag, Cyber Guard, and Cyber Knight) he said they took their inspiration from Red Flag, the Air Force’s realistic training against a dissimilar adversary opposing force. Like Red Flag, these exercises have been vital in increasing readiness and capability.
The risk landscape as seen from the perspective of the healthcare sector.
Stephanie Reel (CIO, the Johns Hopkins University Health Systems) brought the perspective of a healthcare organization (and a “hybrid organziation”) to the discussion. She claimed that healthcare has surpassed financial services as the most-targeted sector. In some ways the sector’s modernization has increased its vulnerabilities. Unification and aggregation of data have exposed the sector to “unintentional negligence among the players.” That unification is striking: about 60% of patient data in the United States is currently held by a single vendor.
With greater risk has come more spending on security, and Reel pointed out that this is not only a direct expense, but it imposes opportunity costs as well. “Money spent on security is not being spent to cure disease,” she said, nor is it being used to improve public health. But the reality of the threat requires that security be addressed. Ransomware has been a particular problem for healthcare, Reel said as she reviewed their own experience with the Medstar incident of 2016. Medical care and patient safety require that digitized records and networked devices have high availability, and it’s that availability that ransomware attacks. Direct manipulation of medical devices themselves (“still sort of science fiction; we haven’t seen it at Johns Hopkins”) also remains a very real threat, although not yet a common one.
Reel seconded Dahbura’s call for a national conversation about an identification system, and, although she feared that people were too ready to concede defeat on identity management, still closed on a hopeful note. She thought the tensions a hybrid organization like hers faces among the competing claims of security, operations, healthcare, research, and education could ultimately be resolved.
This is an excerpt from an article originally written by The CyberWire.
We're sharing our research at the upcoming ISOI6, the US Dept of Defense Cyber Crime conference, Internet2 Joint Techs, and at ShmooCon. If you are attending any of those events, we'd love to meet you in person! Alex talks about McColo, I'll be discussing Web malware in government networks, Stu covers the latest in malware obfusction tactics, and Julia dives into the Srizbi botnet takedown. For Dates, times, topics, & locations, please read on.
A few more details for those in the area / attending:
Jan. 29 in Dallas, TX
Alex speaks on the topic of McColo on Jan 29 at 15:30. He'll discuss our efforts in working with coordinating bodies of the Internet and the press to facilitate the disconnection of McColo from the Internet. He'll also discuss how McColo (and botnet C&Cs hosted there!) re-connected to the Internet and what the bot herders may have done during that brief time.
Jan. 30 in St. Louis, MO
I'll be speaking on the topic, "Web Malware: Combating the New Keys to the Kingdom." My session is this Friday, Jan 30 from 11:00 to 11:50 a.m. as part of the Information Assurance Track. I'll cover the threat and how today's countermeasures have been largely ineffective in preventing both the initial Web malware intrusions and the subsequent call backs to C&C infrastructures. I'll also examine the malware infection cycle and discuss how government agencies can take preventative measures.
Feb. 4 in College Station, TX
Stu's speaking on the topic, "Web Malware Tech: Obfuscation and other Evasion Techniques". His session is next Wed, Feb 4 from 8:50am till 9:10am where he talks about the increasing criminal sophistication of Web malware. He covers how a deadly cocktail of threats such as phishing spam containing URLs that load Web pages laced with obfuscated code has made almost all security technologies obsolete. For example, pretty much all serious Web malware infections use obfuscation as a way to infiltrate via port 80.
Feb. 6 in Washington, DC
Julia's session (The Srizbi Botnet Takedown) is during the Main Track day on Feb 6 at 17:00. Julia covers how FireEye was able to hijack the Srizbi botnet, which was responsible for about 75% of all of the spam worldwide.
Hope to see a few of you there!