Executive Order: Improving Critical Infrastructure Security

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

Facebook employees should know better

While I believe that posting any private information to a social networking site is… well… nuts, I also believe we should have a reasonable expectation of privacy.  This means companies like Facebook must do a good job of protecting themselves from potential attacks.  So why were laptops used by Facebook employees targets of a recent zero-day attack?

Yes, it was zero-day.  We can’t foresee all possible attack vectors.  The threat agent used a hole in Java to infect the laptops.  Further, the Java exploit was setting on a developer site.  Doh!  Didn’t see that coming, Facebook?  You should have.

Java is full of holes.  It is an exploit waiting to happen, and it is not the first time attackers circumvented the Java sandbox to get at the underlying platform.  Some, like Andrew Storms at nCircle Security, believe Java needs a complete overhaul (via Gregg Keizer, Computerworld).

 “Oracle should just take a mulligan and redesign Java before everyone completely loses faith in it…”

Apparently, Facebook didn’t get the memo.  Why would a social network company allow its employees to visit risky sites and then connect back to a network where customer and other sensitive data reside?  Why would any organization?

For more information on end-user device security, see Chapter 6 – End-user Device Security.

Should you run away from Dropbox?

For a long time, I’ve recommended Dropbox to colleagues, friends, and family.  However, recent revelations and events made me look for a more secure and less risky solution.

First we learn that any employee at Dropbox has access to our data. According to the Dropbox site,

Dropbox employees are prohibited from viewing the content of files you store in your Dropbox account, and are only permitted to view file metadata (e.g., file names and locations). Like most online services, we have a small number of employees who must be able to access user data for the reasons stated in our privacy policy (e.g., when legally required to do so). But that’s the rare exception, not the rule. We have strict policy and technical access controls that prohibit employee access except in these rare circumstances. In addition, we employ a number of physical and electronic security measures to protect user information from unauthorized access.

The problem I had with this was the lack of communication to customers that this was the case.  Many of us understood that NOBODY could access our data.  Well, no problem.  I simply used TrueCrypt to encrypt sensitive data.  This was inconvenient and caused some performance issues.

As regular listener of Security Now, I decided to try the highly recommended Carbonite.  Not only does it back up all my data, but all my Office files and PDFs are available via my iPad and iPhone.  In addition, nobody can access my files but me…  Finally, the cost is pretty low: $59 per year for unlimited storage.

After testing Carbonite, I wasn’t yet ready to drop Dropbox.  However, today I read that they left all files available to the public for four hours yesterday.  (sigh).  I guess it was too much to expect a great cloud file respository to actually be secure, too.

It’s All about TRUST…

Consumers and the press like to bash vendors and online social networks for lacking perfect privacy, but there is no such thing.  Rather, this is the victim’s argument for getting pwned…

Whenever we perform an action, or fail to act, there are consequences.  A popular zen teaching uses an analogy of picking up a stick; if you pick up a stick holding one end, the other comes with it.  The same is true of sharing personal information online.  There is always the chance  your information will fall into the wrong hands.  Whether or not you share your information should be a matter of trust, of your assessment of risk.

Trust varies between online services.  For example, the steps my bank takes to protect my information are regulated and pretty strong–not perfect, but strong enough for me to take the risk of using its online services.  On the other hand, I would never post anything I don’t want the world to know about on Facebook.

Social networks are not heavily regulated… yet.  And we don’t want them to be.  I don’t want the government sticking its finger into everything I do online.  So, I need to take some responsibility for my actions and not complain to my congressman or senator when my pictures of my last frat party compromise my integrity and that of several others.  Knowing Facebook is a social network, designed for SHARING, why would I assume the risk of putting sensitive content there?  Why would I place my trust in any social networking service?

The same is true of doing business online.  There are differences in how “due diligence” is defined between online business services.  It is our responsibility to ask the right questions before using any service.  If we don’t, we are just as responsible as the service provider when data is stolen… or worse.  Further, regular audits or other assessments are necessary to ensure initial trust does not drift in the wrong direction.

Before sharing your business or personal information with anyone, ask yourself how much you trust the other guy.  If the answer is, “not as far as I can throw him,” then go somewhere else.

Security None-sense

I’m sitting in my mother’s hospital room. It is in a new, modern, well thought-out addition to the Toledo Hospital. There is even high-speed Internet access via Wi-Fi. However, the hospital’s IT department blocks social networking sites. Why?

If it’s for security, why bother? I can access Facebook and Twitter from my iPhone and iPad using other tools. For example, I sent a Facebook post (just because I could) using my email. I continued to receive friend updates via email and text messaging. I could also post photos or video from my iPhone. So any HIPAA compliance intent is fully circumvented.

If the hospital is blocking social networking to preserve bandwidth, it needs to reconsider. Today’s patients–and their families–have integrated 24/7 social contact into their lifestyles. Blocking access is simply a poor business decision.

Finally, they may block blogging before my next visit, given that I am writing this on my iPad will sitting in my mom’s room…