Blog

RSAC USA 2015: My Agenda Day 1 Monday

The RSA Conference USA for 2015 wrapped up last Friday.  I am using this blog to share with you my personal schedule for the five days of the conference, to indicate what interested me and what I experienced.  I’ll separate each day into a separate blog posting, complete with session descriptions from the RSAC catalog.

Please write to me if you have any questions about these sessions.

  • SEM-M02 : Information Security Leadership Development: Surviving as a Security Leader

In conventional security training, there are few opportunities to learn how to develop and direct a successful information security program. Experienced security leaders delivered a morning seminar focused on bridging this gap.

  • As a New CISO – How to Assess Your Security Program for Success – Gary Hayslip
  • Are you Fighting the Wrong Battles? – Bill Burns
  • Being a CISO – What They Don’t Tell You – Jack Jones, Evan Wheeler, Rick Howard, Julie Fitton, Amy Butler
  • Stepping Inside the Boardroom – Trey Ford
  • SEM-M03 : Advancing Information Risk Practices

Many challenges face today’s Risk Management programs, including how to risk rank security gaps, handling business interactions and forming a qualified resource pool. This half-day seminar was packed with useful information from a series of respected industry leaders. Discussing successes and pitfalls, these leaders have set out to challenge conventional ideas and pursue cutting edge tactics.

  • Practical Quantitative Risk Analysis – David Musselwhite
  • An Inside Look at Cyber Insurance – Jake Kouns
  • Metrics That Matter – Scott Borg, Alex Hutton, Evan Wheeler, Kymberlee Price, Michael Werneburg
  • Leveraging Threat Analysis Techniques – Mark Clancy
  • ISB-001 : Innovation Sandbox

RSAC Innovation Sandbox has been selecting the most innovative information security companies and products for the past 10 years.  Previous RSAC Innovation Sandbox Contest victors have garnered venture capital investment, large company buyout and increased media coverage. RSAC Innovation Sandbox Contest has rewarded a range of information security solutions, including cloud security, mobile and app security, physical security and analytics.

In addition, the Innovation Sandbox Contest program includes valuable content on how to establish a start-up, start-up trends and the future of information security.

  • Introduction – Hugh Thompson
  • Most Innovative Company at RSA Conference 2015 Top 10 Presentations

Three-Minute pitches followed by Q&A with judges.

  • Participating finalist companies:
    • bugcrowd
    • cyberreason
    • Fortscale
    • Nex Defense
    • SecurityDo
    • SentinelOne
    • Trust In Soft
    • Vectra
    • ticto – runner-up
    • waratek – Winner
  • Requirements:
    • Have an awesome product that has been in the market for less than one year; has the potential to make a significant impact on information security; can be demonstrated live and on-site during the event.
    • Have a great company that has a management team track record to successfully deliver products to market; is privately held, with less than $5M in revenue in 2014.
  • Judging panel:
    • Asheem Chandna, Partner at Greylock Partners
    • Asheem Chandna, Vice President of Security Engineering at Google
    • Renee Guttman, Vice President for Information Risk at Accuvant
    • Patrick Heim,Hhead of Trust and Security at Dropbox
    • Paul Kocher, President of Cryptography Research
  • How to Get Funded

Don’t let your groundbreaking idea sink out of sight for lack of funding. Find out where the money is and how to get it. UC Berkeley’s Jesse Goldhammer will guide this discussion between DARPA’s Dr. Angelos Keromytis, Trident Capital’s Alberto Yepez and Kickstarter campaigner Tiffany Spencer to sort out the challenges and benefits of conventional vs. unconventional funding routes to inject capital into nascent start-ups.

  • When to Build or Buy Your Security Solution – Panel

Jason Chan, Engineering Director, Netflix; Anup Ghosh, Ph.D., Founder and CEO, Invincea; Rick Holland, Principal Analyst, Forrester Research; Martin Roesch, Vice President and Chief Architect, Cisco Security Business Group

In today’s threat landscape, companies of all sizes need a technology investment strategy to protect their assets. Firms are often faced with either accepting the current toolsets available in the market, or b building their own tools to address their unmet needs. Rick Holland led a discussion on the tradeoffs of building or buying information security technologies with Anup Gnosh, Marty Roesch and Jason Chan.

  • Future Crimes: Why Cyber Was Only the Beginning – Marc Goodman

As ubiquitous as technology seems today, the scientific progress just over the horizon will leave our heads spinning. Today’s cyber attacks are only the beginning of our technological security risks. The Internet of Things, robotics, 3D printing, artificial intelligence and synthetic biology will provide unprecedented opportunities for entrepreneurs and criminals alike. Marc Goodman explored emerging threats and opportunities in securing the technologies of tomorrow.

  • Award Ceremony and Winner Announcement

End

Who’s Invited to Your Party: Discussion Framework

Presented at RSA Conference USA 2015
Yesterday I had the great pleasure of hosting, as facilitator, a peer-to-peer (P2P) session at RSA USA Conference in San Francisco.  The topic was information security of the partners with whom we do business.  I’ll write about the session and topic over a few blog posts; my first was posted yesterday, a post that summarized other RSAC USA 2015 sessions that cover security of partners.
The title of my P2P session was: Who’s Invited to Your Party?  Minimizing Risk from Outsourced Partners.  The session description was:
Recent headlines suggest your greatest risk may be from trusted, connected partners.  Let’s get beyond old approaches to share experiences and new control options for your elastic insider network.
Best practice partner security evaluations have typically included questionnaires, standardized forms, log reviews, and audits.  But these are proving insufficient.  If a connected partner supporting core operations is compromised, your internal defenses, such as layered network architecture, may also be insufficient.  Those partners have their own partners, all potentially becoming your “insiders”. We will discuss new ideas and better approaches for managing partner access and limited risk.
In advance of the session I answered a few questions to help prepare those interested in attending the session.  Here are the questions and answers:
 1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?
  • Attendees whose organizations utilize outsourced partners to do business–partners that connect to internal computing resources and/or have access to proprietary information, forming “the elastic insider network”.
  • Attendees who assess security of organization-partner information exchanges and network connectivity.
  • Attendees whose roles include IT technical, IT security, legal, asset-management, risk-management, insurance.
  • This session will be strategic and tactical, not deeply technical.
2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?
  • Organizations regularly engage partners to support operations, including core functions; this outsourcing is a well established and increasing trend across many industries.
  • Virtually all of these partner supported operations involve information sensitive or even strategic to the organization.
  • Most of these partner supported operations involve information exchanges between the partner and the organization, and many involve partner access to internal networks.
  • Organizations have limited influence over the operations of their partners, including partners of the partner, which increases information security risk and requires additional, and specialized, controls.
  • Many of the breach reports lately in the news have involved compromised partners as a vector to attack business networks, at great cost and reputational damage.
3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?
  • Think about the partners engaged by your business, the types of operations they support, and the information and business networks they access, particularly mission critical, sensitive, or regulated.
  • Think about what processes you have in place to assess potential partners, to monitor and audit partner operations that involve your business, and to mitigate IT security incidents involving partner access.
  • Think about the contracts you have with your partners, specifically that language that gives you (1) rights to direct how the partner uses your business information and connects to and uses your internal networks; (2) rights to audit the partner; and (3) rights to direct how the partner engages and uses partners that also have access your sensitive information.
4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?
  • I anticipate a vibrant, in-depth, inclusive discussion that surfaces a variety of viewpoints and debate between them.
  • Attendees will leave with an understanding of the issues, assessments and controls involving outsourced, connected partners.
  • I expect to spark for participants some of those invaluable RSA “aha!” moments, where they gain new perspectives and insights that they bring back to add immediate value to their work and spark meaningful change in their organization.
Tomorrow I’ll post a summary of the session and anonymized comments shared by participants.

RSAC USA 2015: Partner Security Sessions

Great peer-to-peer session at RSAC this afternoon. Thanks to all who participated.

I promised you I would post a list of sessions at RSAC this week that involve partner security, so here it is. There are seven total, though the first is already finished. Hope to see some of you again in these sessions.

  • Tue 3:30 p – GRC-T09: The Coming Revolution: Industry Groups Defining Vendor Assessment Standards – Panel, including Howard Schmidt, former president of Information Security Forum (ISF), ISSA and (ISC)2, and former Cyber-Security advisor to the Bush and Obama Administrations, former Microsoft CSO/CISO.
  • Wed 8:00 a – CRWD-W01: Combating Cyber Risk in the Supply Chain, Joshua Douglas, CTO Raytheon Cyber Products
  • Wed 9:10 a – ECO-W02: Addressing the Global Supply Chain Threat Challenge: Huawei, a Case Study – Andy Purdy, CSO Huawei Technologies USA
  • Thu 10:20 a – CRWD-R03: Best Practice or Bust? Test Your Approach to Third-Party Risk, James Christiansen, VP, Accuvant
  • Thu 10:20 a – P2P-R038: Third Party Supplier Governance—Secure the Supply Chain, Puneet Kukreja, National Australia Bank
  • Thu 11:30 a – GRC-R04: Is Your Third-Party Service Provider Vendor Management Program Good Enough? – Patrice Coles, Compliance Manager
  • Fri 11:20 a – STR-F03: Supply Chain as an Attack Chain: Key Lessons to Secure Your Business, panel

A Social Engineering Story

Grafitti comic of man jumping Berlin Wall

When pondering the term Social Engineering, my focus is solidly placed on “Social.” These are human, not technical, attacks. Social Engineers are first and foremost masters of manipulation of the social interaction. They identify potential targets, assess them in the first few seconds of conversation, and then launch the attack. A crisis situation is presented and the assault usually occurs with dizzying, intentional speed, such that the victim has no time to think, much less verify what they are told. Victims are quite simply caught off-guard. If the first thrust is successful then follow-on attacks are launched.

These attackers often do a little homework to prepare. They identify a target audience, usually vulnerable groups like the elderly. A crisis scenario is developed that preys on the psychology of the target. Any background information the attacker can gather increases the success of the attack, making the crisis scenario seem more authentic.

And by the way, I am not talking necessarily about the sophisticated professional villain. Many successful attacks are authored by rubes who strive for quantity, with the law of averages supporting their likelihood of success with at least one target. And a few successes is all it may take to make the Social Engineer successful in the “profession.”

Today I present a case in point, that illustrates a typical attack. A neighbor of mine in his mid-eighties got a call from someone who easily found his landline number (yes, you read that right). The person claimed to be a police officer in Las Vegas, saying that the neighbor’s grandson had been arrested for some indiscretion and needed bail money to get him sprung from jail quickly. The neighbor, reasonably upset by the news, asked simply “Which grandson?”, and the response was “The older one.” The caller gave wiring instructions then ended the call with the caveat “Your grandson asked that you not mention this to anyone, including his parents, because he is really humiliated. He said you were the only one he could go to for help.”

The real story behind the story of course is that my neighbor, who had been feeling old and irrelevant, was instantly cast in the role of the hero, having been given a rare opportunity to swoop in and save the grandson from destruction. This was the psychology behind the crisis scenario. Social Engineer called it with 100% accuracy and my neighbor fell for it. He transferred the money to an account in Las Vegas, not even asking the caller to verify the grandson’s actual name.

It worked so well that a few hours later the attack continued. Another call came through—this time from a purported ‘lawyer’, claiming that he represented the grandson and his friend, and who described that the situation was “even worse than had been previously described. The charges were being escalated to something felonious. So of course that meant the lawyer’s retainer would have to be sent immediately so that work could begin without delay to help prevent the situation from getting more difficult.

Attackers know how to be flexible with their story, to keep the attack going. So when my neighbor said he didn’t have the requested retainer sum, the lawyer explained that this was not a problem, that the grandson’s partner in crime was from a wealthy family, and would pay the retainer. But because the family that did not want to be directly identified, they would first deposit the retainer funds into my neighbor’s account and, once he verified the deposit, my neighbor was then to directly pay the lawyer. All the family required of him was to provide his social security number and bank account number, which they explained was completely logical since they were “trusting” him with their payment of the retainer amount. Yes, he fell for it and gave the information.

Now the attackers had far more than the first payment to Las Vegas of easy cash. They had the victum’s confidential financial information, given by the victim himself! In the hands of a Social Engineering attacker such information can easily be used to leverage more information and more cash.

When my neighbor called the bank to verify the transfer, lo and behold, the new money had been deposited into his checking account! How can this all be a fake when money is flowing to him? What he didn’t think to check were his linked accounts, such as savings and retirement. Using the bank information my neighbor provided, the thieves had simply done a telephone account transfer, mimicking my neighbor’s telephone number so it appeared on the bank agent’s caller ID display. It is usually easier to transfer funds between accounts than out of the bank. My neighbor then promptly transferred the ‘retainer’ amount, really his own cash, to another Las Vegas account.

Again, the attack continued. The ‘attorney’ called again to say that the case was more complicated and a higher retainer amount was required. Only then did my neighbor start to feel a little suspicious, and finally called a family member to share the situation. End of story: My neighbor was bilked of thousands of dollars and felt too humiliated to talk much about it.

It is critical that we share news of these incidents to raise awareness of the power of a good story, and a compelling storyteller. These attacks are successful, in part, because victims are too embarrassed to talk about their experience. And it can happen to anyone, individuals and businesses, given the right story, particularly with good background information we all to readily give away in our social media posts. When thinking about your on-line security, it is critical to understand the people factor and to spread awareness of how powerful and successful Social Engineering attacks can be.

Wells Fargo Phishing

Picture of Wells Fargo logo

Always interesting to get and look over a phishing email, as I did today.

The email, purportedly from Wells Fargo, was boldly titled “Important Notice Regarding Your Account”, showed “Wells Fargo” in the From header line, with the official Wells Red square logo below the address block. The email address behind the From line was smrfc@notify.wellsfargo.com. The rest of the email is copied below,

with an asterisk added in the address so you don’t accidentally click it.

The key giveaway feature of these phishing emails is the helpful link you can click on to log in and solve the problem. Everything else in the content is intended to get you to trust and click. So the first rule you should follow is never click the included link. If you want to validate that you really have a problem then open your web browser, navigate to your bank’s site, authenticate, then check for warning messages.

My attention was also caught by the phrase “forced to suspend your account indefinitely”. While a bank may freeze a compromised account, no bank will lock you out of your funds and on verification with you may transfer funds to a different account number. This phase was included to alarm you with a tight deadline and severe consequences, so you’ll be more likely to click.

Don’t fall for these scams. At best they might lead to a software download that would compromise your computer. At worst they will clean out your bank account and try to find linked accounts to do the same.

Stay Safe online!

– Ken


Dear Wells Fargo Member:

We recently have determined that different computers have tried to log in to your account. Multiple password failures automatically places your account on hold.
We now need you to re-confirm your account information to us.
If this is not completed by December 03 2014, we will be forced to suspend your account indefinitely, as it may have been used for fraudulent purposes.
We thank you for your cooperation in this manner.

To remove limitations from your account click on the following link:

https://online.*wellsfargo.com/cgi-bin/Logon.aspx?sd

Thank you for being our customer.