Simplicity is a strategy that works.

This last week I was fortunate enough to be invited out to Hollywood to participate in a large exercise for the entertainment industry focusing on cyber security planning and threat management.  There were folks in attendance from a variety of organizations, all of which were very interested in just how exposed they might be to data theft.  The resounding call from nearly every executive that I talked to during this event was that they were aware of how exposed they likely were, and that they were extremely worried about who would be next to have their movie or tv show leaked to the public. 

Read more

For More Cyber Operations Wins, Cheat…

Before my last deployment (quite a while ago, thankfully) my unit was training on a variety of tactics to make us all more effective in an operational setting.  That’s the long way of saying we were all getting PT'd repeatedly and learning how terrible we were at stopping the bad guys, luckily we all got better as time went on.  Anyway... 

One of the most valuable lessons we learned from working with the guys in some of the more “special” operational roles was that things shouldn’t be fair. 

In other words, the bad guys didn’t play fair…Why should we?

How could we expect to win if we played nice and everyone else was moving with no holds barred?

I literally had a very crusty, very angry Master Chief say to me “if you ain’t cheating, you ain’t trying.”

Then we got PT'd again anyway, thanks to his acute observation of the squad’s failure to move on the threat fast enough, hurray push-ups.  But nevertheless, his message came through (many, many push-ups later).

We got very good at cheating.  We would do everything from placing sugar packets under rolling obstacles on the obstacle course so they didn't move and we could move faster, or shoving extra ammunition magazines in every conceivable spot on our persons we could find.  One guy sounded like he had been eating ammo for his morning cereal he jingled so much when he walked, but he always had rounds long after the bad guys had run out.  Once we had the concept down that in an operational setting, the bad guys weren’t playing fair – neither should we; our unit started winning more and taking the heat to the bad guys.  By the time we left for deployment we were very good at stacking the odds in our favor and we continued this for the whole of our operational time. 

Read more

Prepare for Increasing Frequency of “Nation-State” Cyberattacks with Strategy, not Technology

Let me pose a question: “Is it a bad thing to give the average person a hand grenade with the pin pulled?” I think most of us would respond to that question with an emphatic “YES!”  No one in their right mind would think it's a good idea in any possible reality to allow anyone without extensive military or professional training to access an explosive--especially not one that is live and has no safety device in use. Bad things would happen, and people would probably lose their lives; at the very least, there would be damage to property. No matter what, this scenario would be a very bad thing and should NEVER happen.

OK, now let me change that question a bit: “Is it a bad thing for every person with a network connection to have access to extremely powerful nation-state-level cyber weapons?”  Hopefully you would respond similarly and say “YES!”

Just as the hand grenade juggling is a problem, so is the proliferation of nation-state-level exploits. These malicious tools and frameworks have spread across the world and are presenting a very complicated problem that must be solved. Unfortunately, the solution that we've currently been offered amounts to a variety of vendors slinging solutions and tools that, without good strategy, cannot effectively combat the myriad cyber artillery shells now being weaponized against every system that touches the World Wide Web. The bad guys have now officially proven that they can “outdev” the defensive technologies in place in many instances and have shown that it's highly likely that many installed legacy technologies are wide open to these weaponized attacks (anti-virus be darned) across the planet.

Read more

Data is the perimeter, defend it that way

Data is the perimeter, defend it that way

Unless you have been living under a rock or possibly hiding in the mountains of Montana with a giant beard and eating way too many government issued MRE’s you probably heard about the nuclear bomb of a ransomware attack that kicked off last week.  Welcome to the post apocalypse folks.  For years, many of us in the cybersecurity industry have been jumping up and down on desks and trying to get the world (writ large) to pay attention to managing and patching outdated systems and operating systems that have been running legacy software, to no avail.  Now that Pandora’s box has been opened and the bad guys have use the NSA leaked tools as weapons platforms all the sudden everyone gives a dang.  I caught no less than 17 talking heads on the news this morning stating that “this is the new reality”, and “cybercrime is a serious threat to our way of life.”  Duh, also water is wet and fire is hot.  Thank you news.  

Regardless of all the bad that is bouncing around the news and everywhere else today (and as I type this I can literally see a pew pew map on CNN that looks like a Zika Virus map showing the spread of WannaCry dominating the screen behind the anchor team) the reality around this “massive hack” and “global attack” is that if folks didn’t suck at patching their systems and followed basic best practices instead of crossing their fingers and hoping that they didn’t get hit the “end of days malware” would be basically ineffective.  The “hack” targets Windows XP systems, an old, outdated, unsupported OS that should have been pulled from use eons ago.  And if the legacy system running that OS couldn’t be pulled, IT SHOULD HAVE AT LEAST BEEN PATCHED.  Problem solved, or at least made manageable. 

Read more

Zero Trust for MeatWare: It Applies to Us Humans Too

Zero Trust principles have, thus far, been mainly aimed at the network and the technology that makes our interconnected systems “live.” That’s how the concept was originally meant to be applied, but the reality of the threat vectors and need for better security capabilities means that Zero Trust has to adapt just like everything else does. The concept for Zero Trust is super, and it's being adopted at quite a few major organizations, but there's still a problem:

 

Read more

For Better Security Operations, Speak to the Pack in its Native Tongue

I have a huge German Shepherd that ranks only slightly behind my human children when it comes to being spoiled and how much attention he gets.  I’ve been working on training him for nearly a year now, and he amazes me with how intelligent he is. He knows all the basics: sit, stay, here, lay down, etc. But he also picked up detecting scents very quickly and is learning to detect things with his nose that I can’t even see with my eyes. And he does all of these things faster than most kids learn to break the Netflix password.  

The other day, working with him on his training points, I thought to myself, “Woah, my dog speaks human.” Not just English either. He speaks German (that’s the language he's trained in), and he totally understands it. I realized the problem is that I don't speak “Dog.” My dog knows about 30 human words, and they are words in a language his master has no business trying to pronounce, mind you. But he knows what those words mean, and he gets the tasking or request down every time they're uttered. He could look at me for an hour and bark, growl, howl, yip, or yelp constantly, and he could be telling me the cure for cancer and I wouldn’t know it.  

OK that’s interesting, but what does it have to do with better communication among techies?

Read more