The Wall Street Journal reported today that the United States government has a fleet of Cessna planes in at least five US airports that are equipped to track and aid in pinpointing of specific mobile phones.
The technology dubbed Dirtbox (Digital Receiver Technology), which was developed by a subsidiary of Boeing, mimics a cell tower tricking mobile phones. The planes fly over an area and can attempt to locate specific phones via the unique IMEI number, however all phones in the area will respond to the signal. Each phone is logged and labeled as “Of Interest” or “Not of Interest”. If a phone of interest is located they can perform additional steps to triangulate the specific location of the person or phone of interest. All encryption has been turned off so the government can obtain personal information such as what numbers were called from any of the phones. The FBI has used similar technology for years with a program dubbed Stingrays.
I am not an expert but it seems that a criminal or terrorist would not use a cell phone that could be tracked to them and switch phones often. We all know there are stupid criminals out there though.
For the vast majority of people in this country this is a direct violation of our privacy and civil rights. Who defines “Of Interest” and “Not of Interest”? If I don’t vote for a particular candidate or donate to the President’s opponent do I get on the list?
As the news has reported for nearly a year, credit card security is getting ready to be improved by the rollout of Chip-and-Pin technology. This technology is considered to be harder to steal thus leaving clients more secure. Retails have gone down the road of implementing this technology over the last few years but these preparations have sped up in the last 12 months after the Target breach.
Recently, the Obama Administration has issues an executive order on the use of Chip-and-Pin for Federal Agencies. This is a link to a great article describing the difference in Chip-and-Pin versus Chip-and-Signature.
Security product vendors often say that their products will block malware or trojans from getting into your network. This is slightly misleading. They should say that these products can block malware and trojans. To get them to actually block threats into your network they have to be configured properly. This is one area where you don’t want them deployed by someone that can figure it out or fumble through it.
Recently the thermostat in my house stopped working 100%. It worked just fine if you wanted air conditioning. However, if you wanted heat you were out of luck. Before we knew it was the thermostat we contacted a local heating and air company. We figured it was the heater. We weren’t experts on HVAC systems but it seemed reasonable if the heater wouldn’t come on and the AC would that the heater was out. Once they inspected everything we learned that it was the thermostat. It took hiring the right people to make the determination and what our proper path was to restore heat to the upstairs. I had no idea what to do with a heater.
As an American male I understand the desire to give it a shot myself first. We look at a problem or a situation and our brains immediately go to how can we do it ourselves or with a group of buddies. If there is a tree down in the backyard our first thought is how soon can we get to the store and purchase a chain saw. We have it all worked out in our head that we need to cut here and there and we fast forward all the way through the project.
With data security things can’t be done with the same attitude. In the network security field we have to change our approach from reactive to proactive based. It isn’t what we will do once the tree falls down, it is what can we do to keep the tree from falling.
Most security products are reactionary. They respond to an event based off of a signature they already know about. This in and of itself is not that difficult for a product to do. Firewalls, anti-virus, intrusion prevention, etc. all use this model. Some manufacturers tout their products ability to train itself, or to learn about emerging threats. This model is also flawed. Network security products can be purchased by an attacker and they can figure out very easily how to bypass this device. Additionally, the truth is these products do not learn all that quickly.
There is a quest in the network security world to find products that can automatically detect and respond to an attack. When the device or software detects an abnormality in a packet it can perform an action like shut down the firewall port or disable the workstation. That sounds so cool on paper. After all don’t we love automation?
Blindly following the advice of an autonomous product can be a costly venture. One of two things will happen. First, you are putting your trust into a device that can only detect what it knows about. If the device doesn’t know about it nothing will happen. Think about this from an outsiders perspective. We know instinctively that Target, Home Depot, K-Mart, and Dairy Queen all had firewalls, AV, and IPS. Yet they were still hacked and data was extracted from their networks. The reason is the malware was morphed so the typical automatic tools wouldn’t catch it. These attackers knew what they were doing and found a way to beat the system. You can finger point all day long if it was a third party or failure of this or that…all of that is irrelevant. The tools on the network failed.
The second problem with automation is that the device could overreact. I recall several instances where a client was using a firewall that was set to detect and block malware on a network. If the device saw strange activity from an internal device it was set to block that device so IT would have to look into the problem. All of that would be great except the day when they were really busy and the amount of DNS requests was legitimately higher. The firewall thought it was malware and shut down the DNS server stopping all traffic on the network. I could name numerous others where an overzealous security product stopped traffic on the network and shut off internet requests for everyone. The common reaction to this one is to shut off the security product (that statement is typically preceded by a four letter word) and stop using it all together. Now the network has little to no protection.
Automation and reaction-only based security model is not the key to safe data and will lead companies down a bad road. I think these products can be used but only in conjunction with human analytics and in a controlled format. Log management, log review, assessments, and training for the entire company. Getting real insight and advice on a network is critical to securing your data. Before submitting your 2015 budgets take a look at what you are spending on these analytical approaches to security and what you are spending on the automated tools (Firewalls, IPS, AV, IDS, Managed Security). Automation-only isn’t working for anyone.
A security assessment or penetration test that only focuses on the vulnerabilities and missing patches are too narrow in scope. This is a limited view and doesn’t provide you with an overall picture of the risk an organization faces.
Organizations need an assessments that looks at not only the vulnerabilities that exist, but what all the various risks are. Having a Windows patch or Adobe Reader up to date is not going to solve your security risks. These are important but too narrow. It is like driving a car that cannot turn left or right, it only gets you so far before the road ends.
Assessments are most likely required in your organization. Spend the money wisely and get one that actually helps create a more secure environment. Not just one that allows a box to be checked off a list.
No one starts playing baseball in the major league. The typical major league ball player starts in a Babe Ruth type league, goes on to play in high school, then college, then the minor leagues, and finally the majors. Even once they make it to a pro team, like my beloved Baltimore Orioles, they often do not start every day right off the bat. They work hard to earn a spot on the regular roster. It is only once they make it to the big’s that most people learn about them and what they can do. The number of people that knew Cal Ripken before he played for the O’s is small. The number of people that know Cal Ripken now, is vast.
Many organizations feel they are not going to be a target of a cyber attack or data breach. The common mentality is that they are too small or not important enough or they don’t make enough money. This way of thinking is too narrow for today’s world and very dated.
Target, Home Depot, Jimmy Johns…the attackers didn’t start with them. This wasn’t a trial run. This was their major league debut. They started in the minors. Small and midsize businesses were the training ground where their skills were perfected.
And coming up behind them is the next wave of major league players ready to hit more home runs that their predecessors. Where do you think they are learning their skills? Your network is the practice field.
The news media as well as people I talk with usually focus on the large scale attacks. They are aware from the news that Home Depot, Target, and P.F. Changs were breached and credit card data is at risk. These attacks are great to make public to raise public awareness, although as I previous wrote about does little to change behavior.
What people often don’t think about is the fact that your local hardware store, grocery, and Chinese restaurant are not necessarily safe. They could also be the target of a smaller scale attack. They are just too small to be discussed on Fox news and CNBC. Attacks on these size businesses often go unreported and not documented.
So my question for any organization out there, did you spend more money on security than Home Depot, Target, or P.F. Changs? Why would you be safe and not them? The malware used for these larger attacks was tested somewhere on a small scale first.