Brent’s Interview About His Most Recent Book

 

Introduction

In today’s digital age, the importance of cyber-security cannot be overstated. With threats evolving at an unprecedented rate, organizations need to be proactive in their approach to safeguarding their assets. “We Need To Talk: 52 Weeks To Better Cyber-Security” by L. Brent Huston offers a comprehensive guide to navigating the complex world of cyber-security. We sat down with the author to delve deeper into the inspiration, content, and significance of this book.

Interview

Q1: What inspired you to write “We Need To Talk: 52 Weeks To Better Cyber-Security”?

A1: As a virtual CISO and 30+ year security practitioner, I know how important it is to keep the security team engaged with one another, encourage open discussions, and do continual learning. I wrote the book to give security teams a good basis for these discussions every week for a year. Covering the basics and letting the team discuss sticking points and areas for improvement has led my clients to identify some interesting trends and rapidly mature their security programs. I think, literally, “We Need To Talk”. We need it as practitioners, individuals, teams, and organizations. This is a stressful, detail-oriented, rapid-change business, and talking helps nearly everyone involved.

Q2: Why did you feel it was essential to provide such a comprehensive view of cyber-security?

A2: So much of what we do is complex and touches multiple areas of our organization that we must bring the basics to each. I picked the topics for discussion in the book to address the high-level, technical, and procedural controls that almost every organization needs. I threw in some of the more tenacious topics I’ve encountered in my career and a few curve balls that have bitten us over the years. Information security and risk management are broad-spectrum careers, and we need a broad spectrum of topics to help security teams be successful.

Q3: Can you elaborate on how the structure of the book facilitates this year-long journey?

A3: This is a great question. The book idealizes a weekly security team meeting where the team discusses one of the topics and why it is relevant and then works through a series of questions to help them hone and refine their security program. The book includes a topic for each week, appropriate background information about that topic, and a set of questions for discussion by the team. As I piloted the book with my clients, it became clear that these were ultra-powerful discussions and led to some amazing insights. I knew then that I had to write and put the book out there to benefit security teams and practitioners.

Q4: How did leveraging AI tools shape the content and structure of the book?

A4: I used several AI tools to help generate the content of the book. It was written programmatically, in that I wrote some programming to leverage an AI backend to generate the questions and background information for each topic. I then adjusted the code and moderated the output until I got the book I wanted. It took a while, but it was fantastic when completed. I wanted to experiment with writing with AI tools, and since I knew the book I wanted to create had a specific format and content, it seemed like a good experiment. Ultimately, I learned much about working with AI and using Grammarly for editing and self-publishing. I have been absolutely thrilled with the response to the book and how the experiment turned out. In fact, it gave birth to another project that I am just beginning and will pave the way for some exciting new breakthroughs in how to work with AI tools in the coming years.

Q5: What is the one core message or lesson from your book that you’d like security teams to take away?

A5: The one takeaway I would have them consider is that discussion among the security team can really help a lot of the team members and the organization at large. We need to talk more about the work we do, both inside our teams and to the other teams we work with across the enterprise. The more we discuss, the more likely we can support each other and find the best solutions to our common problems and issues. Implementing the strategies, tactics, and insights we discover along the way might just be the change we need to make information security more effective, easier to manage, and even more fun!

Summary

L. Brent Huston’s “We Need To Talk: 52 Weeks To Better Cyber-Security” is more than just a book; it’s a roadmap for security teams to navigate the intricate maze of cyber-security. Through structured discussions, the book aims to foster collaboration, understanding, and growth among security professionals. With the unique blend of AI-generated content and Huston’s vast experience, this book promises to be an invaluable resource for those in the field.

 

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

 

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

Utility Tabletop Cybersecurity Exercises

Recently, a group of federal partners, comprised of the Federal Energy Regulatory Commission (FERC), North American Reliability Corporation (NERC) and it’s regional entities released their Cyber Planning for Response and Recovery Study (CYPRES). The report was based on a review and analysis of the incident response and recovery capabilities of a set of their member’s cyber security units, and is a great example of some of the information sharing that is increasing in the industry. The report included reviews of eight utility companies’ incident response plans for critical infrastructure environments, and the programs reviewed varied in their size, complexity and maturity, though all were public utilities.

Though the specific tactics suggested in the report’s findings have come under fire and criticism, a few items emerged that were of broad agreement. The first is that most successful programs are based on NIST 800-61, which is a fantastic framework for incident response plans. Secondly, the report discusses how useful tabletop exercises are for practicing responses to cybersecurity threats and re-enforcing the lessons learned feedback loop to improve capabilities. As a result, each public utility should strongly consider implementing periodic tabletop exercises as a part of their cyber security and risk management programs.

Tabletop Exercises from MSI

At MicroSolved, we have been running cyber security tabletop exercises for our clients for more than a decade. We have a proprietary methodology for building out the role playing scenarios and using real-world threat intelligence and results from the client’s vulnerability management tools in the simulation. Our scenarios are developed into simulation modules, pre-approved by the client, and also include a variety of randomized events and nuances to more precisely simulate real life. During the tabletop exercise, we also leverage a custom written gaming management system to handle all event details, track game time and handle the randomization nuances.

Our tabletop exercise process is performed by two MSI team members. The first acts as the simulation moderator and “game master”, presenting the scenarios and tracking the various open threads as the simulation progresses. The second team member is an “observer” and they are skilled risk management team members who pre-review your incident response policies, procedures and documentation so that they can then prepare a gap analysis after the simulation. The gap analysis compares your performance during the game to the process and procedure requirements described and notes any differences, weaknesses or suggestions for improvement.

Target scenarios can be created to test any division of the organization, wide scale attacks or deeply nuanced compromises of specific lines of business. Various utility systems can be impacted in the simulation, including business networks, payment processing, EDI/supply chain, metering/AMI/smart grid, ICS/SCADA or other mission critical systems.Combination and cascading failures, disaster recovery and business continuity can also be modeled. In short, just about any cyber risks can be a part of the exercise.

Tabletop Exercise Outcomes and Deliverables

Our tabletop exercises result in a variety of detailed reports and a knowledge transfer session, if desired. The reports include the results of the policy/procedure review and gap analysis, a description of the simulated incident and an action plan for future improvements. If desired, a board level executive summary can also be included, suitable for presentation to boards, management teams, direct oversight groups, Public Utility Commission and Homeland Security auditors as well.

These reports will discuss the security measures tested, and provide advice on proactive controls that can be implemented, enhanced, matured or practiced in order to display capabilities in future incidents that reflect the ability to perform more rapid and efficient recovery.

The knowledge transfer session is your team’s chance to ask questions about the process, learn more about the gaps observed in their performance and discuss the lessons learned, suggestions and controls that call for improvement. Of course the session can include discussions of related initiatives and provide for contact information exchange with our team members, in the event that they can assist your team in the future. The knowledge transfer session can also be performed after your team has a chance to perform a major review of the reports and findings.

How to Get Started on Tabletop Exercises from MSI

Tabletop exercises are available from our team for cyber security incidents, disaster preparedness and response or business continuity functions. Exercises are available on an ad-hoc, 1 year, 2 year or 3 year subscription packages with frequencies ranging from quarterly to twice per year or yearly. Our team’s experience is applicable to all utility cyber programs and can include any required government partners, government agencies or regulators as appropriate.

Our team can help develop the scope of threats, cyber attacks or emergency events to be simulated. Common current examples include ransomware, phishing-based account compromises, cyber attacks that coincide with catastrophic events or service disruptions, physical attacks against substations or natural gas pipelines, data breach and compromise of various parts of the ICS/SCADA infrastructure. Our team will work with you to ensure that the scenario meets all of your important points and concerns.

Once the scenario is approved, we will schedule the simulation (which can be easily performed via web-conference to reduce travel costs and facilitate easy team attendance) and build the nuances to create the effects of a real event. Once completed, the reporting and knowledge transfer sessions can follow each instance.

Tabletop exercises can go a long way to increasing cybersecurity preparedness and re-enforcing the cybersecurity mindset of your team. It can also be a great opportunity for increasing IT/OT cooperation and strengthening relationships between those team members.

To get started, simply contact us via this web form or give us a call at (614) 351-1237. We would love to discuss tabletop exercises with you and help you leverage them to increase your security posture.

 

State of Security Podcast Episode 17 is Out!

In this episode (~45 minutes), I answer questions from the audience around blockchain and smart contract security considerations. I cover some of the reasons why I think these technologies are important, what their potential impacts are likely to be and how information security teams should prepare. Some of the questions drift into changes around store of value, investment insights and other closely related topics.

This episode is sponsored by MachineTruth™ – a new passive, analytics-based solution for network inventory, traffic analysis and security baselining. Learn more at  http://www.machinetruth.net.

 

They Price It Right! Come on down…

Healthcare from United States, come on down! Welcome to “They Price It Right!” There goes the industry, high-fiving all the other industries in the studio as it rushes towards Drew Carrey and the stage. And pays the ransom.

In 2017, healthcare organizations accounted for 15% of all security incidents and data breaches, second only to financial institutions (from Verizon’s 2017 DBIR). 66% of malware was installed through either email links or attachments. The healthcare industry has also been hard hit with ransomware in recent years.

* The above images captured from Verizon’s 2017 Data Breach Investigations Report

The last several years have seen a dramatic increase in ransomware within healthcare. To quote the CEO of an organization that DID pay out the ransom demand, “These folks have an interesting business model. They make it just easy enough. They price it right.” Symantec’s ISTR on Ransomware 2017 reports the average ransom demand “appears to have stabilized at US$544 indicating attackers may have found their sweet spot.” Ahhh…can just picture the blackmailer getting a notification that their target had succumbed and paid up…that hit the sweet spot.

However, a reminder; a $500 ransom may not seem much to an organization with millions or billions in revenue, but that’s per infection (sorry, pun not intended as we’re discussing the healthcare industry). Dozens or hundreds of infection can easily tally up the ransom to total in the tens or hundreds of thousands.

Furthermore, paying the sweet spot ransom does not guarantee even a bittersweet outcome. SentinelOne’s 2018 Ransomware Study shows 42% of ransom payments did not result in data recovery. 58% demanded a second payment.

* The above image captured from SentinelOne’s Global Ransomware Study 2018

Most ransomware is delivered through email. Phishing. Spearphishing. Targeted targets. Email addresses for an organization can easily be harvested using readily available open source tools. 15 minutes to create a phishing campaign with the newly found targets with a link or malicious attachment. The context of the email can be social media related, user needs to reset their password, they have a package that was undelivered, the CEO has attached a memo addressed to all staff. The recent Russian indictments – regardless of the reader’s political leanings – are proof that PHISHING WORKS! (Also blogged here in stateofsecurity.com)

Technology has come a long way – email filters, domain verification, Sender Policy Framework, malware and link scanners – plus many more help in filtering out the 50-70% of the email traffic that is spam. But they still get through. I know for one my Inbox is not spam-free or devoid of any phishing messages.

Since technology is not at the point where it’s able to stop all phishing email, it is up to the user to NOT click on that link or attachment. Sure, there are technologies that prevent bad things from happening if a user DOES click on a phishing link or malicious attachment. But then again, technology is not at the point where they are 100% effective.

Businesses with big budgets buy all kinds of hardware and software solutions to try to counter phishing. But they ignore a big piece of the phishing attack model, and that is the end user. And here, education and training is imperative.

Repeating phishing exercises should be conducted on all or selected groups of employees. These campaigns should be at not-too-regular intervals, so as not to evoke an anticipation from the employees – alright, here come some vaguely suspicious email on the first day of each quarter; I’ll just delete them. Then the rest of the year, they blatantly open, view and click on any and all email links. The simulated campaigns should be randomized and as unexpected as possible.

These campaigns should also be followed up with some education, either some static web pages, training video or live in person session. Phishers are always coming up with new tricks and methods. As a result, end users should be brought up to speed with their new tricks. A couple academic research papers on the efficacy of phishing training demonstrate that EDUCATION WORKS! (links under Resources below)

Then there needs to be a culture of non-retribution. Phishing exercises should be conducted with learning as the objective. Employees should come away with a heightened awareness of phishing and the social engineering tricks used by phishers that make you just want to click that link/attachment.

Employees should be encouraged to report any suspicious email so that word gets around. Homeland Security’s “See something, say something” campaign applies here too; someone is perhaps targeting your firm, alert your fellow colleagues.

Resources:

https://www.verizonenterprise.com/resources/reports/2017_dbir_en_xg.pdf

https://go.sentinelone.com/rs/327-MNM-087/images/Ransomware%20Research%20Data%20Summary%202018.pdf

https://www.healthcaredive.com/news/must-know-healthcare-cybersecurity-statistics/435983/

https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-ransomware-2017-en.pdf

https://blog.barkly.com/phishing-statistics-2016

http://www.cs.cmu.edu/~jasonh/publications/apwg-ecrime2007-johnny.pdf

https://www.usenix.org/system/files/conference/soups2017/soups2017-lastdrager.pdf

https://www.dhs.gov/see-something-say-something/about-campaign

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

Privacy Concerns With Facebook’s iPhone App

I just wanted to give everyone a quick example of why you should always exercise caution when modifying an application’s privacy settings.

Facebook is rolling out a feature in the US that allows people to automatically identify and share things they’re listening to or watching. It’s important to keep in mind that this leveraging this feature requires that you grant Facebook access to your iPhone’s microphone. This means that Facebook will turn on your microphone every time you write a status update. It is worth considering the sacrifice in privacy compared to the convenience that you gain by leveraging this feature. Is it really worth allowing an organization to hear your conversations just so you can gain the ability to easily share what TV show you’re watching?

Facebook has stated that they do not record or archive these transmissions. However, using this feature requires that you trust that a 3rd-party (Facebook) will handle your data appropriately. Do you really need to provide them with this data? Does it really save you that much time to have your background noise automatically analyzed? These are questions you should ask yourself prior to providing Facebook with this level of access.

Privacy vs. Convenience

I’ve lost track of how many useful cloud-based services I have signed up for within the last few years. I can’t picture my life without products like Uber, FancyHands and Gmail. It often surprises people to find out that these products are free or very inexpensive. If they’re giving the service away for free or at a very low cost, how can the companies make money?

Typically, a service provider is able to gain a substantial profit based on the fact that they are able to harvest your data. Imagine what an advertiser could gain just by learning information about your latest Uber ride. When using a service provider, it’s important to ask yourself, is the convenience worth the sacrifice of your privacy? While it’s possible that not all of these service providers are harvesting or selling your data, it’s worthwhile to at least consider your loss of control.

Personally, I have found that there are circumstances in which I am willing to sacrifice my privacy for a cheaper and more effective product. I feel that the convenience of being able to order a cab with the touch of a button on my phone is worth the risk of another corporation learning details about my trip. Another circumstance in which I am willing to forgo a bit of my privacy to gain a convenience would be my use of a “savings card” at my local grocery store. I have no doubt that they are tracking and analyzing my purchases. However, I have always felt that it is worthwhile to share my purchase history with the grocery store due to the discounts that they provide for using the “savings card”.

Despite the fact that I am often willing to forgo my privacy in an attempt to gain access to a service offering, there are products that I do not feel that the offered convenience warrants the loss of control over my personal information. For example, I recently looked into leveraging a service that could automatically unsubscribe me from a number of subscription emails. As annoying as those emails can be, I didn’t feel that the convenience of this service was worth letting a 3rd party parse through all of my emails.

Each time my personally identifiable information (PII) is exposed to attackers as a part of a data breach, I become more likely to voluntarily share my personal information with a 3rd party in an effort to gain a convenience. Next time you prepare to sign up for a free or discounted service, be sure to take a few extra moments to decide whether or not you are willing to expose your private information to gain access to the service. After all, there’s no such thing as a free lunch.

State Of Security Podcast Episode 4

We are proud to announce the release of State Of Security, the podcast, Episode 4. This time around I am hosting John Davis, who riffs on policy development for modern users, crowdsourcing policy and process management, rational risk assessment and a bit of history.

Give it a listen and let us know what you think!

Thanks for supporting the podcast!

3 Books Security Folks Should Be Reading This Spring

I just wanted to drop 3 books here that I think infosec folks should check out this spring. As always, reading current material is an excellent way to keep your skills moving forward and allows you new perspectives on business and security matters. Even books from outside the security domain are useful for insights, new perspectives or indirect references.

Here’s what I suggest you check out this spring:

1. Antifragile by Taleb – This book will set your mind on fire if you are a traditional risk assessment person. It is astounding, though often difficult to read, but the ideas are a logical conclusion of all the previous Taleb theories from the Black Swan series. Beware, though, the ideas in this book may change the way you look at risk assessment, prediction and threat modeling in some radical ways! Long and tedious in spots, but worth it!

2. Linked: The New Science of Networks by Barabasi & Frangos – This book is an excellent mathematical and scientific discussion of networks, both logical and physical. It describes the sciences of graph theory, link analysis and relational mapping through easy to read and quite entertaining story telling. Given the rise of Internet of Things environments, social networks and other new takes on old-school linked networks, this is a great refresher for those who want to re-cover this territory with modern insights.

3. Hacking Exposed 6 by Scambray – That’s right, go old-school and go back and learn how penetration techniques from some of the best general hacking books in the industry. HE6 is an excellent book for covering the basics, and if there is anything all infosec folks need, it is a strong grasp of the basics. Learn and master these techniques in your lab. Work through the examples. Go ahead, we’ll wait. Have fun, and learn more about how bad guys still pwn stuff. Lots of these techniques or variants of them, are still in use today!

There you go, now get reading! 🙂 

How to Use Risk Assessment to Secure Your Own Home

Risk assessment and treatment is something we all do, consciously or unconsciously, every day. For example, when you look out the window in the morning before you leave for work, see the sky is gray and decide to take your umbrella with you, you have just assessed and treated the risk of getting wet in the rain. In effect, you have identified a threat (rain) and a vulnerability (you are subject to getting wet), you have analyzed the possibility of occurrence (likely) and the impact of threat realization (having to sit soggy at your desk), and you have decided to treat that risk (taking your umbrella) risk assessment.

However, this kind of risk assessment is what is called ad hoc. All of the analysis and decision making you just made was informal and done on the fly. Pertinent information wasnt gathered and factored in, other consequences such as the bother of carrying the umbrella around wasnt properly considered, other treatment options werent considered, etc. What business concerns and government agencies have learned from long experience is that if you investigate, write down and consider such factors rationally and holistically, you end up with a more realistic idea of what you are really letting yourself in for, and therefore you are making better risk decisions formal risk assessment.

So why not apply this more formal risk assessment technique to important matters in your own life such as securing your home? Its not really difficult, but you do have to know how to go about it. Here are the steps:

1. System characterization: For home security, the system you are considering is your house, its contents, the people who live there, the activities that take place there, etc. Although, you know these things intimately it never hurts to write them down. Something about viewing information on the written page helps clarify it in our minds.

  1. Threat identification: In this step you imagine all the things that could threaten the security of your home and family. These would be such things as fire, bad weather, intruders, broken pipes, etc. For this (and other steps in the process), you can go beyond your own experience and see what threats other people have identified (i.e. google inquiries, insurance publications).

  2. Vulnerability identification: This is where you pair up the threats you have just identified with weaknesses in your home and its use. For example, perhaps your house is located on low ground that is subject to flooding, or you live in a neighborhood where burglaries may occur, or you have old ungrounded electrical wiring that may short and cause a fire. These are all vulnerabilities.

  3. Controls analysis: Controls analysis is simply listing the security mechanisms you already have in place. For example, security controls used around your home would be such things as locks on the doors and windows, alarm systems, motion-detecting lighting, etc.

  4. Likelihood determination: In this step you decide how likely it is that the threat/vulnerability will actually occur. There are really two ways you can make this determination. One is to make your best guess based on knowledge and experience (qualitative judgement). The second is to do some research and calculation and try to come up with actual percentage numbers (quantitative judgement). For home purposes I definitely recommend qualitative judgement. You can simply rate the likelihood of occurrence as high, medium or low risk.

  5. Impact analysis: In this step you decide what the consequences of threat/vulnerability realization will be. As with likelihood determination, this can be judged quantitatively or qualitatively, but for home purposes I recommend looking at worst-case scenarios. For example, if someone broke into your home, it could result in something as low impact as minor theft or vandalism, or it could result in very high impact such as serious injury or death. You should keep these more dire extremes in mind when you decide how you are going to treat the risks you find.

  1. Risk determination: Risk is determined by factoring in how likely threat/vulnerability realizations is with the magnitude of the impact that could occur and the effectiveness of the controls you already have in place. For example you could rate the possibility of home invasion occurring as low, and the impact of the occurrence as high. This would make your initial risk rating a medium. Then you factor in the fact that you have an alarm system and un- pickable door locks in place, which would lower your final risk rating to low. That final rating is known as residual risk.

  2. Risk treatment: Thats it! Once you have determined the level of residual risk, it is time to decide how to proceed from there. Is the risk of home invasion low enough that you think you dont need to apply any other controls? That is called accepting risk. Is the risk high enough that you feel you need to add more security controls to bring it down? That is called risk limitation or remediation. Do you think that the overall risk of home invasion is just so great that you have to move away? That is called risk avoidance. Do you not want to treat the risk yourself at all, and so you get extra insurance and hire a security company? That is called risk transference.

So, next time you have to make a serious decision in your life such as changing jobs or buying a new house, why not apply the risk assessment process? It will allow you to make a more rational and informed decision, and you will have the comfort of knowing you did your best in making the decision. 

Thanks to John Davis for this post.