Wednesday, April 11, 2012

Book Review: America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare

I guess I am in like a book posting series for now but since I had to do a book review to earn CPE credits for my CISSP certification I thought it would get a cheap blog entry this month with it.

This book was a great follow up to Fatal Systems Error for me. Joel Brenner, the author, is a former Inspector General of the National Security Agency, NSA, and was also the head of U.S. Counterintelligence for the director of National Intelligence.  This book explores both Cybercrime and Cyberwarfare with more emphasis in the latter. The author does give the reader a primer on Cybersecurity and how some attacks such as DDoS for example take place. However, because of Brenner’s insight into the US national intelligence system, the book focuses on what State-sponsored Cyberthreats represents to the international community, especially so to The US without going into much detail into how attacks happen. It describes how Cybercrime has evolved as a potential lethal weapon to a nation’s critical infrastructure (e.g. power, financial, communications, and military industries) by using the internet to disturb communications and information flow during warfare and references to how Serbians manipulated these tools during the Kosovo War; most recently you could probably relate to the Egypt Revolution and the critical role that communications and Social Media played there, and continues threats by the Iranian government to shut down communications in their country as a way to control and intimidate their opponents. When The People´s Republic of China, PRC, realized that they were too far behind from The US economics and military forces they identified an opportunity to explore other ways to build their technology and industries by exploiting the weaknesses of our current industries and military forces to steal classified information and intellectual property that they have used to catch up with the our technology and use it against us. Both government and the private sector are at fault here by not implementing the necessary security control and most importantly by failing to educate and create security awareness within their organizations. 

The moment of truth for me during this read was when I came acrros the excerpt below. The reason being that I work in a mid-size law firm and I couldn’t agree more with this statement which actually comes from a lawyer and partner in one of the largest 100 law firms in the US.

"The Chinese have other even subtler methods of stealing our know-how. Several years ago, while serving as the national counterintelligence executive, I sat with colleagues discussing how we would plan an espionage attack against an American business. And then a lightbulb went on: the law firms! Of course: A company’s outside intellectual property lawyers have its technical secrets, and their corporate law colleagues are privy to strategic business plans. And lawyers don’t like taking instructions from anybody, particularly their less well paid underlings who are responsible for network security. They’re impatient. In some firms the rainmakers have nixed even simple steps, like requiring a password on mobile devices that connect with the firm’s servers. They couldn't be bothered. Privileged with secrets, highly paid, often arrogant and usually impatient, lawyers are the perfect targets. I cannot disclose what I know because it's classified, but I can disclose that I know that my surmise was soon justified. U.S. law firms have been penetrated both here and abroad. Firms with offices in China and Russia are particularly vulnerable, because the foreign security services are likely to own the people who handle the firms' physical and electronic security. These services are not interested in stealing brilliant legal briefs; they want information about the firm's clients. Every law firm with offices in several continents holds privileged and sensitive electronic documents worth millions of dollars to a foreign service, ranging from investment plans to negotiating and business strategies, and much more." Think I got hooked up here? No kidding! This is what I am dealing with every day and is such a great challenge and opportunity for me as a professional. If you are in legal and have kept up with the news then you now know what Brenner knew. There are plenty of articles out there on how Chinese are attacking firmssecurity in law firms, or recent incidents such as Anonymous attacking law firms. Dear lawyers, this is a real issue for us and you guys need to pay attention.

Brenner also does a great job on identifying one of the most important problems that governments face: finding balance between transparency and privacy. While transparency says “Open Up”, privacy says “We are watching you and you are very restricted to what we want you to do.” Both transparency and privacy are about information which he refers to as being liquid. I love that analogy because information as liquid can take any form and be anywhere. The problem is that once liquid leaks, it is hard to figure out how, when and where it happened, not to mention that it is nearly impossible to recover it all. During this segment the author also references how organizations such as WikiLeaks operate by “turning the hose on” to let the precious liquid out. The appearance of WikiLeaks was a critical milestone to the proliferation of Hactivist groups such as Anonymous which supported them by launching DDoS to organizations such as PayPal and MasterCard that froze WikiLeaks funds in an attempt to stop their operations. It is important to note that WikiLeaks has a more organized structure governed by their decision maker Julian Assange, while hactivist groups do not have any type of hierarchy or governing entity and function as a group of people that support the same “values or ideas”.

In chapter 7, the author presents a hypothetical scenario where he illustrates how China could potentially create serious damage and pretty much “own” The US on the verge of war using techniques such as shutting down entire power grids in the US, sending off undetectable submarines to face The US Navy crafts and disturbing the financial markets. He actually mentioned that while his scenario is fictional, some of the penetrations and techniques used by the PRC have actually already happened.

Finally, Brenner presents what he believes are good practices to get both the public and private sectors together. Many of them are widely known, yet not practiced much. Here they are in a nutshell:

Public Sector:
  1. Stronger trade regulations and contracting. Requiring higher security standards from its vendors.
  2. Make Service Providers accountable. For example require ISP to notify customers whose machines are infected by a botnet.
  3. Stronger Energy Standards. Limit connectivity to a public network.
  4.  Tax code. Use tax incentives to encourage investment in cybersecurity
  5. Encourage and found research.
  6. Securities regulations
  7. International relations. International community needs to come together in all of these efforts.
Private Sector:
  1. Clean up your act! Assume that you have been attacked so monitor and mitigate.
  2. Control WHAT is in your system.
  3. Control WHO is in your system.
  4. Protect what is valuable.
  5. Patch, patch, patch.
  6. Train, train, train.
  7. Audit for operational effect.
  8. Manage overseas travel behavior.

    Monday, March 12, 2012

    Reading List Q1 2012

    It has been a couple of months since I last posted. I have a lot going on right now and I have a few posts coming with updates on many exciting initiatives that I have been involved with, but I wanted to get back with something quick in one of my preferred activities, reading. I have been focused primarily on Information and Network Security lately, even if I did not intended to. So here is what I have been reading since November.
    Security Strategy: From Requirements to Reality, by Bill Stackpole and Eric Oksendahl. Not only is a good book around information and network security, but it is also a good book for someone starting to do more strategic work like me.
    In Section I: Strategy, the authors discuss methods of how to think strategically, different types of strategic frameworks, and how to develop strategic plans, which require strong leadership skills in order to follow through the planning process which includes performance, monitoring, evaluation and adjustment. Once they lay the ground with these concepts they start going through scenarios that describe how to be strategic about security and why Information Security programs, when aligned with both the culture and overall business strategy, can enhance processes and can even become a great marketing tool and bring competitive advantage. The importance of security convergence or the integration of logical and physical security is also described, as is the need for the increasing need to change the focus from security to risk management. They also describe three different models that organizations use for the delivery of products: In-house Security Model, Security Services-integrator and All Security Services Outsourced.
    In Section II: Tactics, Stackpole and Oksendahl  go into how to go about implementing your strategic plans. I liked how they laid out four main tactical areas of information security: Defense in Depth, Excellence in Identity Management, Excellence in Security Engineering and Excellence in Operations. The authors also emphasize the importance of observation as a quality of any information security professional and staff cross-training among others. They also give great advice and present good models of delivering Security Awareness Programs for organizations.
    Fatal Systems Error, by Joseph Mann. The book starts introducing Brett Lyon as the central character and how he started fighting Distributed Denial of Services attacks (DDoS) to defend companies within the gambling industry from extorcionists. This eventually led Lyon to the creating of Prolexic Technologies, which specialized in fighting Cyberattacks. Lyon moved on to become an entrepreneur and a well-known security industry figure that eventually participated in high profile federal investigations around Cybersecurity in The US. This book offers great insight on how Cybercrimal mobs operate, and how different countries have put themselves in a position where they either serve these organizations, such as the Russian Business Network (RBN); or have felt so behind that they really can't counter or control their attacks. A second character emerges in Europe, British agent Andy Crocker “who followed his leads and plunged deeper than any previous Westerner into hacking the former Soviet Union”. The work of these two men has been critical to “the good guys” advancements into Cybercrime and Cyberwar because they are pioneers that relentlessly explored areas that nobody had before.
    The book gives a technical overview on how Cyberattacks such as DDoS and Botnets amongst others work. Mann, does a good job on describing how Cyber-threat has become a very prolific industry and references to many famous cases such the hacks perpetrated on T.J. Maxx and Heartland Payment Systems and how they were discovered by some of the most brilliant minds in the business such as Lyon, and Croker as well as Joe Stewart of Dell SecureWorks or Mikko Hypponen of F-Secure to name a couple.
    America The Vulnerable, By Joel Brenner. Mr. Brenner is a former Inspector General of the National Security Agency, NSA, and was also the head of U.S. Counterintelligence for the director of National Intelligence. This book was a great follow up to Fatal Systems Error. While the previous book focused primarily on Cybercrime with slight insight into Cyberwarfare, this book does exactly the opposite. Because of Brenner’s insight into the US national intelligence system, the book focuses on the threat that State-sponsored Cyberthreats, especially from China, represents to our country. It describes how Cybercrime has evolved as a potential lethal weapon to a nation’s critical infrastructure (e.g. power, financial, military industries). It also illustrates the weakness of our current infrastructure and how the People’s Republic of China, PRC, and other nations have been able to exploit The US’s military forces and industries to steel classified information and intellectual property that they have used to catch up with the our technology and use it against us. The author also references how organizations such as WikiLeaks operate and how Hactivist groups such as Anonymous have derived from these organizations.  Through a hypothetical scenario, he illustrates how China could potentially create serious damage and pretty much “own” The US on the verge of war. He actually mentioned that while his scenario is fictional, some of the penetrations and techniques used by the PRC have actually already happened.
    I have to say that if you work on Information security and you want to catch Sr. Management attention’s you need to read this book and also put a copy in front of management.
    The Girl With The Dragon Tattoo, and The Girl Who Played With Fired, by Stieg Larsson. I don’t remember when the last time I read a fiction book was. Holy Enigmatic Girl Batman! I could not put these down. I finished the latter on one night with 200+ pages to go, the most I have ever read in one day…by far! The story of the first book develops around a journalist and owner of Millennium Magazine, Mikael “Kalle” Blomkvist, who is hired to resolved a family mystery about the murder of a girl. Blomkvist does resolve the case by relentlessly digging into the family business with put his life in danger. In the process he runs into Elisabeth “Liz” Salander, a very weird girl whose social skills are not “normal” who happens to be really smart and great at investigations, which she carried on by means of observation and electronic hacking (security theme again, and this time unintentional). Salander becomes the perfect complement to Blomkviest and together the start discovering new facts and connecting dots until they resolve the case. They also engage on a deep and weird personal relationship, which ended abruptly at the end. Salander also managed to get a hold of millions of Kronor (Swedish currency) by means of Cybercrime…really, I did not mean to get here on the Information Security track again, but Salander is a heck of a hacker herself!
    The second book, The Girl Who Played With Fire is about an investigation on the illegal sex trade and the prostitution industry carried on by Millennium Magazine through Dag Svensson, a freelancer, and his girlfriend Mia Johansson. While the investigation is going on the story also revels Liz Salander’s turbulent past and how society discriminated and labeled her as a socially challenged. As Svensson got close to the head of the sex traffic industry a link between that beast and Salander surfaces and Svesson and Johansson as well as Salander’s legal guardian are all assassinated by the same weapon which happens to have Salander’s finger prints and the hunt to find her starts. On one side we have the police services desperately yet ineffectively trying to track Liz Salander down. On the other hand, Blomkviest launches his own investigation to probe’s Salander’s innocence. At the end, the head of the mob and Liz engage on a brutal and bloody battle and both end up in critical condition at a Gothenburg hospital and Salander innocence of the three murders is clearer, yet not proved yet. I have to get to the 3rd book for that!
    My next books include the 3rd book on Stieg Larsson’s saga, “The Girl Who Kicked The Hornet’s Nest” which I am reading now and “The Hunger Games” saga. As for professional reading, I am going to turn my attention back to my roots, the network, and read “Designing Cisco Network Service Architectures (ARCH) in order to prepare towards completing my CCDP certification (and I sense that there will be a need to become better versed around SAN technologies and virtualization). I also want to read David Allen’s “Getting Things Done”.